svn commit: r586168 - in /tomcat: container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java container/tc5.5.x/webapps/docs/changelog.xml current/tc5.5.x/STATUS

Thu, 18 Oct 2007 16:14:28 -0700 

Author: markt
Date: Thu Oct 18 16:13:55 2007
New Revision: 586168

URL: http://svn.apache.org/viewvc?rev=586168&view=rev
Log:
Apply fix for webdav info disclosure

Modified:
    
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
    tomcat/container/tc5.5.x/webapps/docs/changelog.xml
    tomcat/current/tc5.5.x/STATUS

Modified: 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java?rev=586168&r1=586167&r2=586168&view=diff
==============================================================================
--- 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
 (original)
+++ 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
 Thu Oct 18 16:13:55 2007
@@ -252,6 +252,7 @@
         try {
             documentBuilderFactory = DocumentBuilderFactory.newInstance();
             documentBuilderFactory.setNamespaceAware(true);
+            documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder = documentBuilderFactory.newDocumentBuilder();
         } catch(ParserConfigurationException e) {
             throw new ServletException

Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=586168&r1=586167&r2=586168&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Thu Oct 18 16:13:55 2007
@@ -68,6 +68,14 @@
       </add>  
     </changelog>
   </subsection>
+  <subsection name="Webapps" >
+    <changelog>
+      <fix>
+        Fix CVE-2007-5461, an important information disclosure vulnerability in
+        the WebDAV Servlet. (markt)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
      
 <section name="Tomcat 5.5.25 (fhanik)">

Modified: tomcat/current/tc5.5.x/STATUS
URL: 
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS?rev=586168&r1=586167&r2=586168&view=diff
==============================================================================
--- tomcat/current/tc5.5.x/STATUS (original)
+++ tomcat/current/tc5.5.x/STATUS Thu Oct 18 16:13:55 2007
@@ -39,8 +39,3 @@
   http://issues.apache.org/bugzilla/show_bug.cgi?id=43621
   +1: billbarker, yoavs, fhanik
   -1:
-
-* Backport fix for important vulnerability when webdav is enabled for write
-  Patch: http://marc.info/?l=tomcat-dev&m=119245116910632&w=2
-  +1: markt, yoavs, fhanik
-  -1: 
\ No newline at end of file



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to