svn commit: r781708 - in /tomcat/container/branches/tc4.1.x: RELEASE-NOTES-4.1.txt catalina/src/share/org/apache/catalina/startup/ContextConfig.java

Thu, 04 Jun 2009 04:07:46 -0700 

Author: markt
Date: Thu Jun  4 11:07:19 2009
New Revision: 781708

URL: http://svn.apache.org/viewvc?rev=781708&view=rev
Log:
Port fixes for https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 and 
https://issues.apache.org/bugzilla/show_bug.cgi?id=45933
This addresses CVE-2009-0783

Modified:
    tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
    
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/startup/ContextConfig.java

Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: 
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=781708&r1=781707&r2=781708&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Thu Jun  4 11:07:19 
2009
@@ -1758,6 +1758,14 @@
          enumeration when using FORM authentication.
          This is CVE-2009-0580.
 
+[4.1.40] #29936
+         Don't use web application provided XML parser to process web.xml files
+         This is part of CVE-2009-0783
+
+[4.1.40] #45933
+         Don't use web application provided XML parser to process tld files
+         This is part of CVE-2009-0783
+
 
 ----------------
 Coyote Bug Fixes:

Modified: 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/startup/ContextConfig.java
URL: 
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/startup/ContextConfig.java?rev=781708&r1=781707&r2=781708&view=diff
==============================================================================
--- 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/startup/ContextConfig.java
 (original)
+++ 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/startup/ContextConfig.java
 Thu Jun  4 11:07:19 2009
@@ -119,14 +119,14 @@
      * The <code>Digester</code> we will use to process tag library
      * descriptor files.
      */
-    private static Digester tldDigester = createTldDigester();
+    private static Digester tldDigester;
 
 
     /**
      * The <code>Digester</code> we will use to process web application
      * deployment descriptor files.
      */
-    private static Digester webDigester = createWebDigester();
+    private static Digester webDigester;
 
 
     // ------------------------------------------------------------- Properties
@@ -178,7 +178,9 @@
         }
 
         // Process the event that has occurred
-        if (event.getType().equals(Lifecycle.START_EVENT))
+        if (event.getType().equals(Lifecycle.BEFORE_START_EVENT))
+            beforeStart();
+        else if (event.getType().equals(Lifecycle.START_EVENT))
             start();
         else if (event.getType().equals(Lifecycle.STOP_EVENT))
             stop();
@@ -554,6 +556,21 @@
 
 
     /**
+     * Process a "beforeStart" event for this context.
+     */
+    private synchronized void beforeStart() {
+        if (webDigester == null){
+            webDigester = createWebDigester();
+            webDigester.getParser();
+        }
+        if (tldDigester == null){
+            tldDigester = createTldDigester();
+            tldDigester.getParser();
+        }
+    }
+
+
+    /**
      * Process a "start" event for this Context.
      */
     private synchronized void start() {



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to