RELEASE-NOTES-4.1.txt

markt Fri, 08 Feb 2008 15:16:15 -0800

Author: markt
Date: Fri Feb  8 15:15:48 2008
New Revision: 620028

URL: http://svn.apache.org/viewvc?rev=620028&view=rev
Log:
Fix cookie handling for quotes and %5C - CVE-2007-5333.


Modified:
    
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
    
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java
    tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt

Modified: 
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
URL: 
http://svn.apache.org/viewvc/tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java?rev=620028&r1=620027&r2=620028&view=diff
==============================================================================
--- 
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
 (original)
+++ 
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
 Fri Feb  8 15:15:48 2008
@@ -380,14 +380,18 @@
                 }
             }
             try {
-                Cookie cookie = new Cookie(scookie.getName().toString(),
-                                           scookie.getValue().toString());
-                cookie.setPath(scookie.getPath().toString());
-                cookie.setVersion(scookie.getVersion());
+                /*
+                we must unescape the '\\' escape character
+                */
+                Cookie cookie = new Cookie(scookie.getName().toString(), null);
+                int version = scookie.getVersion();
+                cookie.setVersion(version);
+                cookie.setValue(unescape(scookie.getValue().toString()));
+                cookie.setPath(unescape(scookie.getPath().toString()));
                 String domain = scookie.getDomain().toString();
-                if (domain != null) {
-                    cookie.setDomain(scookie.getDomain().toString());
-                }
+                if (domain != null) cookie.setDomain(unescape(domain));
+                String comment = scookie.getComment().toString();
+                cookie.setComment(version==1?unescape(comment):null);
                 cookies[idx++] = cookie;
             } catch(Exception ex) {
                 log("Bad Cookie Name: " + scookie.getName() + 
@@ -405,6 +409,23 @@
     }
 
 
+    protected String unescape(String s) {
+        if (s==null) return null;
+        if (s.indexOf('\\') == -1) return s;
+        StringBuffer buf = new StringBuffer();
+        for (int i=0; i<s.length(); i++) {
+            char c = s.charAt(i);
+            if (c!='\\') buf.append(c);
+            else {
+                if (++i >= s.length()) throw new 
IllegalArgumentException();//invalid escape, hence invalid cookie
+                c = s.charAt(i);
+                buf.append(c);
+            }
+        }
+        return buf.toString();
+    }
+    
+    
     /**
      * Return a context-relative path, beginning with a "/", that represents
      * the canonical version of the specified path after ".." and "." elements

Modified: 
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java
URL: 
http://svn.apache.org/viewvc/tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java?rev=620028&r1=620027&r2=620028&view=diff
==============================================================================
--- 
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java
 (original)
+++ 
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java
 Fri Feb  8 15:15:48 2008
@@ -796,18 +796,20 @@
         if (included)
             return;
 
-        cookies.add(cookie);
-
         StringBuffer sb = new StringBuffer();
+        //web application code can receive a IllegalArgumentException 
+        //from the appendCookieValue invokation
         ServerCookie.appendCookieValue
             (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
              cookie.getPath(), cookie.getDomain(), cookie.getComment(), 
              cookie.getMaxAge(), cookie.getSecure());
+        // if we reached here, no exception, cookie is valid
         // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
         // RFC2965 is not supported by browsers and the Servlet spec
         // asks for 2109.
         addHeader("Set-Cookie", sb.toString());
 
+        cookies.add(cookie);
     }
 
 

Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: 
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=620028&r1=620027&r2=620028&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Fri Feb  8 15:15:48 
2008
@@ -1986,6 +1986,10 @@
 [4.1.35] CoyoteConnector
          No longer accept '\' and '%5c' as path delimiters by default.
 
+[4.1.37] CoyoteConnector
+         Fix security issues CVE-2007-3385 and CVE-2007-5333 in cookie handling
+         that allowed session hi-jacking to occur.
+
 
 ----------------
 Jasper Bug Fixes:



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r620028 - in /tomcat: connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt

Reply via email to