rpms/jetty/F-12 jetty-cookiedump.patch, NONE, 1.1 jetty-log.patch, NONE, 1.1 jetty.spec, 1.21, 1.22

Jeff Johnston jjohnstn at fedoraproject.org
Tue Nov 3 20:10:42 UTC 2009


Author: jjohnstn

Update of /cvs/pkgs/rpms/jetty/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27969

Modified Files:
	jetty.spec 
Added Files:
	jetty-cookiedump.patch jetty-log.patch 
Log Message:

* Tue Nov 03 2009 Jeff Johnston <jjohnstn at redhat.com> 6.1.20-5
- Security patch
- Resolves #532675, #532656




jetty-cookiedump.patch:
 CookieDump.java |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

--- NEW FILE jetty-cookiedump.patch ---
diff -up ./examples/test-webapp/src/main/java/com/acme/CookieDump.java.fix ./examples/test-webapp/src/main/java/com/acme/CookieDump.java
--- ./examples/test-webapp/src/main/java/com/acme/CookieDump.java.fix	2009-11-03 12:32:01.000000000 -0500
+++ ./examples/test-webapp/src/main/java/com/acme/CookieDump.java	2009-11-03 12:33:52.000000000 -0500
@@ -26,6 +26,8 @@ import javax.servlet.http.HttpServletReq
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.mortbay.util.StringUtil;
+
 
 /* ------------------------------------------------------------ */
 /** Test Servlet Cookies.
@@ -89,7 +91,7 @@ public class CookieDump extends HttpServ
         
         for (int i=0;cookies!=null && i<cookies.length;i++)
         {
-            out.println("<b>"+cookies[i].getName()+"</b>="+cookies[i].getValue()+"<br/>");
+            out.println("<b>"+deScript(cookies[i].getName())+"</b>="+deScript(cookies[i].getValue())+"<br/>");
         }
         
         out.println("<form action=\""+response.encodeURL(getURI(request))+"\" method=\"post\">"); 
@@ -114,5 +116,15 @@ public class CookieDump extends HttpServ
             uri=request.getRequestURI();
         return uri;
     }
-    
+
+    /* ------------------------------------------------------------ */
+    protected String deScript(String string)
+    {
+        if (string==null)
+            return null;
+        string=StringUtil.replace(string, "&", "&");
+        string=StringUtil.replace(string, "<", "<");
+        string=StringUtil.replace(string, ">", ">");
+        return string;
+    }
 }

jetty-log.patch:
 jetty/src/main/java/org/mortbay/jetty/HttpParser.java           |   10 
 jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java |   42 ++
 util/src/main/java/org/mortbay/log/StdErrLog.java               |  151 ++++++++--
 3 files changed, 166 insertions(+), 37 deletions(-)

--- NEW FILE jetty-log.patch ---
diff -up ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java.fix2 ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java
--- ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java.fix2	2009-11-03 12:45:36.000000000 -0500
+++ ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java	2009-11-03 12:47:35.000000000 -0500
@@ -91,8 +91,7 @@ public class ErrorHandler extends Abstra
         writer.write("<title>Error ");
         writer.write(Integer.toString(code));
         writer.write(' ');
-        if (message!=null)
-            writer.write(deScript(message));
+        write(writer,message);
         writer.write("</title>\n");    
     }
 
@@ -117,9 +116,9 @@ public class ErrorHandler extends Abstra
         writer.write("<h2>HTTP ERROR ");
         writer.write(Integer.toString(code));
         writer.write("</h2>\n<p>Problem accessing ");
-        writer.write(deScript(uri));
+        write(writer,uri);
         writer.write(". Reason:\n<pre>    ");
-        writer.write(deScript(message));
+        write(writer,message);
         writer.write("</pre></p>");
     }
 
@@ -135,7 +134,7 @@ public class ErrorHandler extends Abstra
             PrintWriter pw = new PrintWriter(sw);
             th.printStackTrace(pw);
             pw.flush();
-            writer.write(deScript(sw.getBuffer().toString()));
+            write(writer,sw.getBuffer().toString());
             writer.write("</pre>\n");
 
             th =th.getCause();
@@ -162,13 +161,34 @@ public class ErrorHandler extends Abstra
     }
 
     /* ------------------------------------------------------------ */
-    protected String deScript(String string)
+    protected void write(Writer writer,String string)
+        throws IOException
     {
         if (string==null)
-            return null;
-        string=StringUtil.replace(string, "&", "&");
-        string=StringUtil.replace(string, "<", "<");
-        string=StringUtil.replace(string, ">", ">");
-        return string;
+            return;
+        
+        for (int i=0;i<string.length();i++)
+        {
+            char c=string.charAt(i);
+            
+            switch(c)
+            {
+                case '&' :
+                    writer.write("&");
+                    break;
+                case '<' :
+                    writer.write("<");
+                    break;
+                case '>' :
+                    writer.write(">");
+                    break;
+                    
+                default:
+                    if (Character.isISOControl(c) && !Character.isWhitespace(c))
+                        writer.write('?');
+                    else 
+                        writer.write(c);
+            }          
+        }
     }
 }
diff -up ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java.fix2 ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java
--- ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java.fix2	2009-11-03 12:46:07.000000000 -0500
+++ ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java	2009-11-03 12:47:35.000000000 -0500
@@ -465,7 +465,15 @@ public class HttpParser implements Parse
                                         case HttpHeaders.CONTENT_LENGTH_ORDINAL:
                                             if (_contentLength != HttpTokens.CHUNKED_CONTENT)
                                             {
-                                                _contentLength=BufferUtil.toLong(value);
+                                                try
+                                                {
+                                                    _contentLength=BufferUtil.toLong(value);
+                                                }
+                                                catch(NumberFormatException e)
+                                                {
+                                                    Log.ignore(e);
+                                                    throw new HttpException(HttpServletResponse.SC_BAD_REQUEST);
+                                                }
                                                 if (_contentLength <= 0)
                                                     _contentLength=HttpTokens.NO_CONTENT;
                                             }
diff -up ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java.fix2 ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java
--- ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java.fix2	2009-11-03 12:47:02.000000000 -0500
+++ ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java	2009-11-03 12:48:00.000000000 -0500
@@ -26,8 +26,10 @@ import org.mortbay.util.DateCache;
 public class StdErrLog implements Logger
 {    
     private static DateCache _dateCache;
-    private static boolean debug = System.getProperty("DEBUG",null)!=null;
-    private String name;
+    private static boolean __debug = System.getProperty("DEBUG",null)!=null;
+    private String _name;
+    
+    StringBuffer _buffer = new StringBuffer();
     
     static
     {
@@ -49,44 +51,59 @@ public class StdErrLog implements Logger
     
     public StdErrLog(String name)
     {    
-        this.name=name==null?"":name;
+        this._name=name==null?"":name;
     }
     
     public boolean isDebugEnabled()
     {
-        return debug;
+        return __debug;
     }
     
     public void setDebugEnabled(boolean enabled)
     {
-        debug=enabled;
+        __debug=enabled;
     }
     
     public void info(String msg,Object arg0, Object arg1)
     {
         String d=_dateCache.now();
         int ms=_dateCache.lastMs();
-        System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":INFO:  "+format(msg,arg0,arg1));
+        synchronized(_buffer)
+        {
+            tag(d,ms,":INFO:");
+            format(msg,arg0,arg1);
+            System.err.println(_buffer.toString());
+        }
     }
     
     public void debug(String msg,Throwable th)
     {
-        if (debug)
+        if (__debug)
         {
             String d=_dateCache.now();
             int ms=_dateCache.lastMs();
-            System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":DEBUG: "+msg);
-            if (th!=null) th.printStackTrace();
+            synchronized(_buffer)
+            {
+                tag(d,ms,":DBUG:");
+                format(msg);
+                format(th);
+                System.err.println(_buffer.toString());
+            }
         }
     }
     
     public void debug(String msg,Object arg0, Object arg1)
     {
-        if (debug)
+        if (__debug)
         {
             String d=_dateCache.now();
             int ms=_dateCache.lastMs();
-            System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":DEBUG: "+format(msg,arg0,arg1));
+            synchronized(_buffer)
+            {
+                tag(d,ms,":DBUG:");
+                format(msg,arg0,arg1);
+                System.err.println(_buffer.toString());
+            }
         }
     }
     
@@ -94,42 +111,126 @@ public class StdErrLog implements Logger
     {
         String d=_dateCache.now();
         int ms=_dateCache.lastMs();
-        System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":WARN:  "+format(msg,arg0,arg1));
+        synchronized(_buffer)
+        {
+            tag(d,ms,":WARN:");
+            format(msg,arg0,arg1);
+            System.err.println(_buffer.toString());
+        }
     }
     
     public void warn(String msg, Throwable th)
     {
         String d=_dateCache.now();
         int ms=_dateCache.lastMs();
-        System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":WARN:  "+msg);
-        if (th!=null)
-            th.printStackTrace();
+        synchronized(_buffer)
+        {
+            tag(d,ms,":WARN:");
+            format(msg);
+            format(th);
+            System.err.println(_buffer.toString());
+        }
     }
-
-    private String format(String msg, Object arg0, Object arg1)
+    
+    private void tag(String d,int ms,String tag)
+    {
+        _buffer.setLength(0);
+        _buffer.append(d);
+        if (ms>99)
+            _buffer.append('.');
+        else if (ms>9)
+            _buffer.append(".0");
+        else
+            _buffer.append(".00");
+        _buffer.append(ms).append(tag).append(_name).append(':');
+    }
+    
+    private void format(String msg, Object arg0, Object arg1)
     {
         int i0=msg.indexOf("{}");
         int i1=i0<0?-1:msg.indexOf("{}",i0+2);
         
-        if (arg1!=null && i1>=0)
-            msg=msg.substring(0,i1)+arg1+msg.substring(i1+2);
-        if (arg0!=null && i0>=0)
-            msg=msg.substring(0,i0)+arg0+msg.substring(i0+2);
-        return msg;
+        if (i0>=0)
+        {
+            format(msg.substring(0,i0));
+            format(String.valueOf(arg0));
+            
+            if (i1>=0)
+            {
+                format(msg.substring(i0+2,i1));
+                format(String.valueOf(arg1));
+                format(msg.substring(i1+2));
+            }
+            else
+            {
+                format(msg.substring(i0+2));
+                if (arg1!=null)
+                {
+                    _buffer.append(' ');
+                    format(String.valueOf(arg1));
+                }
+            }
+        }
+        else
+        {
+            format(msg);
+            if (arg0!=null)
+            {
+                _buffer.append(' ');
+                format(String.valueOf(arg0));
+            }
+            if (arg1!=null)
+            {
+                _buffer.append(' ');
+                format(String.valueOf(arg1));
+            }
+        }
+    }
+    
+    private void format(String msg)
+    {
+        for (int i=0;i<msg.length();i++)
+        {
+            char c=msg.charAt(i);
+            if (Character.isISOControl(c))
+            {
+                if (c=='\n')
+                    _buffer.append('|');
+                else if (c=='\r')
+                    _buffer.append('<');
+                else
+                    _buffer.append('?');
+            }
+            else
+                _buffer.append(c);
+        }
+    }
+    
+    private void format(Throwable th)
+    {
+        _buffer.append('\n');
+        format(th.toString());
+        StackTraceElement[] elements = th.getStackTrace();
+        for (int i=0;elements!=null && i<elements.length;i++)
+        {
+            _buffer.append("\n\tat ");
+            format(elements[i].toString());
+        }
     }
     
     public Logger getLogger(String name)
     {
-        if ((name==null && this.name==null) ||
-            (name!=null && name.equals(this.name)))
+        if ((name==null && this._name==null) ||
+            (name!=null && name.equals(this._name)))
             return this;
         return new StdErrLog(name);
     }
     
     public String toString()
     {
-        return "STDERR"+name;
+        return "STDERR"+_name;
     }
+    
 
 }
 


Index: jetty.spec
===================================================================
RCS file: /cvs/pkgs/rpms/jetty/F-12/jetty.spec,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -p -r1.21 -r1.22
--- jetty.spec	29 Sep 2009 08:15:26 -0000	1.21
+++ jetty.spec	3 Nov 2009 20:10:42 -0000	1.22
@@ -42,7 +42,7 @@
 
 Name:           jetty
 Version:        6.1.20
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        The Jetty Webserver and Servlet Container
 
 Group:          Applications/Internet
@@ -55,6 +55,10 @@ Source3:        jetty.logrotate
 Source4:        %{name}-depmap.xml
 Source7:        %{name}-settings.xml
 Patch0:     disable-modules.patch
+# Fix issues in CookieDump example
+Patch1:		jetty-cookiedump.patch
+# Fix issues with error logging
+Patch2:		jetty-log.patch
 Patch5:		jetty-unix.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -141,6 +145,8 @@ for f in $(find . -name "*.?ar"); do rm 
 find . -name "*.class" -exec rm {} \;
 
 %patch0 -b .sav
+%patch1 -b .sav
+%patch2 -b .sav
 #%patch5
 
 cp %{SOURCE7} settings.xml
@@ -361,6 +367,10 @@ fi
 %doc %{_docdir}/%{name}-%{version}
 
 %changelog
+* Tue Nov 03 2009 Jeff Johnston <jjohnstn at redhat.com> 6.1.20-5
+- Security patch
+- Resolves #532675, #532656
+
 * Tue Sep 29 2009 Alexander Kurtakov <akurtako at redhat.com> 6.1.20-4
 - No need to require the whole tomcat5.
 




More information about the fedora-extras-commits mailing list