svn commit: r609297 - in /tomcat: container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java current/tc5.5.x/STATUS.txt

Sun, 06 Jan 2008 04:00:55 -0800 

Author: markt
Date: Sun Jan  6 04:00:31 2008
New Revision: 609297

URL: http://svn.apache.org/viewvc?rev=609297&view=rev
Log:
Improve fix for CVE-2007-5461.

Modified:
    
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
    
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
    tomcat/current/tc5.5.x/STATUS.txt

Modified: 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties?rev=609297&r1=609296&r2=609297&view=diff
==============================================================================
--- 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
 (original)
+++ 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
 Sun Jan  6 04:00:31 2008
@@ -25,6 +25,7 @@
 invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
 invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
 webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.externalEntityIgnored=The request included a reference to an 
external entity with PublicID {0} and SystemID {1} which was ignored
 directory.filename=Filename
 directory.lastModified=Last Modified
 directory.parent=Up To {0}

Modified: 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java?rev=609297&r1=609296&r2=609297&view=diff
==============================================================================
--- 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
 (original)
+++ 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
 Sun Jan  6 04:00:31 2008
@@ -20,6 +20,7 @@
 
 
 import java.io.IOException;
+import java.io.StringReader;
 import java.io.StringWriter;
 import java.io.Writer;
 import java.security.MessageDigest;
@@ -40,6 +41,7 @@
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.UnavailableException;
 import javax.servlet.http.HttpServletRequest;
@@ -61,6 +63,7 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -254,6 +257,8 @@
             documentBuilderFactory.setNamespaceAware(true);
             documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder = documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(
+                    new WebdavResolver(this.getServletContext()));
         } catch(ParserConfigurationException e) {
             throw new ServletException
                 (sm.getString("webdavservlet.jaxpfailed"));
@@ -2769,7 +2774,26 @@
 
     }
 
-
+    // --------------------------------------------- WebdavResolver Inner Class
+    /**
+     * Work around for XML parsers that don't fully respect
+     * [EMAIL PROTECTED] 
DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+     * references are filtered out for security reasons. See CVE-2007-5461.
+     */
+    private class WebdavResolver implements EntityResolver {
+        private ServletContext context;
+        
+        public WebdavResolver(ServletContext theContext) {
+            context = theContext;
+        }
+
+        public InputSource resolveEntity (String publicId, String systemId) {
+            context.log(sm.getString("webdavservlet.externalEntityIgnored",
+                    publicId, systemId));
+            return new InputSource(
+                    new StringReader("Ignored external entity"));
+        }
+    }
 };
 
 

Modified: tomcat/current/tc5.5.x/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=609297&r1=609296&r2=609297&view=diff
==============================================================================
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Sun Jan  6 04:00:31 2008
@@ -25,12 +25,6 @@
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
-* Improve fix for webdav vulnerability to workaround what looks like a parser
-  bug
-  http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
-  +1: markt, pero, fhanik
-  -1:
-
 * Fix bug in CGI servlet that causes it to fail when included
   http://svn.apache.org/viewvc?view=rev&revision=595802
   +1: markt, fhanik, funkman, pero



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to