diff options
author | Alex Legler <a3li@gentoo.org> | 2009-08-24 08:12:12 +0000 |
---|---|---|
committer | Alex Legler <a3li@gentoo.org> | 2009-08-24 08:12:12 +0000 |
commit | 4e6a35245845cb78455ad73e2074cf6fd77ec077 (patch) | |
tree | f67ccdadf55df54c166246bd76c027bca3aacb22 | |
parent | avoid collision with descent1-demodata (diff) | |
download | gentoo-2-4e6a35245845cb78455ad73e2074cf6fd77ec077.tar.gz gentoo-2-4e6a35245845cb78455ad73e2074cf6fd77ec077.tar.bz2 gentoo-2-4e6a35245845cb78455ad73e2074cf6fd77ec077.zip |
Non-maintainer commit: Revbump to fix security bug 267081 (CVE-2008-2025).
(Portage version: 2.2_rc33/cvs/Linux x86_64)
-rw-r--r-- | dev-java/struts/ChangeLog | 10 | ||||
-rw-r--r-- | dev-java/struts/files/struts-CVE-2008-2025.patch | 328 | ||||
-rw-r--r-- | dev-java/struts/struts-1.2.9-r3.ebuild | 84 |
3 files changed, 420 insertions, 2 deletions
diff --git a/dev-java/struts/ChangeLog b/dev-java/struts/ChangeLog index 2ff2718bf3db..2dbab1e224be 100644 --- a/dev-java/struts/ChangeLog +++ b/dev-java/struts/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for dev-java/struts -# Copyright 2000-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-java/struts/ChangeLog,v 1.44 2009/03/29 17:03:50 betelgeuse Exp $ +# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/dev-java/struts/ChangeLog,v 1.45 2009/08/24 08:12:12 a3li Exp $ + +*struts-1.2.9-r3 (24 Aug 2009) + + 24 Aug 2009; Alex Legler <a3li@gentoo.org> +struts-1.2.9-r3.ebuild, + +files/struts-CVE-2008-2025.patch: + Non-maintainer commit: Revbump to fix security bug 267081 (CVE-2008-2025). 29 Mar 2009; Petteri Räty <betelgeuse@gentoo.org> struts-1.2.9-r2.ebuild: Migrate to EAPI 2 for bug #239835. diff --git a/dev-java/struts/files/struts-CVE-2008-2025.patch b/dev-java/struts/files/struts-CVE-2008-2025.patch new file mode 100644 index 000000000000..4b0d7ebd7222 --- /dev/null +++ b/dev-java/struts/files/struts-CVE-2008-2025.patch @@ -0,0 +1,328 @@ +diff --git a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java +index 403ff97..386ccf3 100644 +--- a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java ++++ b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java +@@ -35,6 +35,7 @@ import org.apache.struts.taglib.TagUtils; + import org.apache.struts.taglib.logic.IterateTag;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.util.RequestUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Base class for tags that render form elements capable of including JavaScript
+@@ -898,10 +899,12 @@ public abstract class BaseHandlerTag extends BodyTagSupport { + */
+ protected void prepareAttribute(StringBuffer handlers, String name, Object value) {
+ if (value != null) {
++ if (name.indexOf('"') >= 0)
++ throw new IllegalArgumentException("quote character in attribute name");
+ handlers.append(" ");
+ handlers.append(name);
+ handlers.append("=\"");
+- handlers.append(value);
++ handlers.append(ResponseUtils.filterIfQuote(value.toString()));
+ handlers.append("\"");
+ }
+ }
+diff --git a/src/share/org/apache/struts/taglib/html/FormTag.java b/src/share/org/apache/struts/taglib/html/FormTag.java +index e8eb9b4..ba2d782 100644 +--- a/src/share/org/apache/struts/taglib/html/FormTag.java ++++ b/src/share/org/apache/struts/taglib/html/FormTag.java +@@ -37,6 +37,7 @@ import org.apache.struts.config.ModuleConfig; + import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.util.RequestUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Custom tag that represents an input form, associated with a bean whose
+@@ -547,10 +548,10 @@ public class FormTag extends TagSupport { +
+ results.append(" action=\"");
+ results.append(
+- response.encodeURL(
++ ResponseUtils.filterIfQuote(response.encodeURL(
+ TagUtils.getInstance().getActionMappingURL(
+ this.action,
+- this.pageContext)));
++ this.pageContext))));
+
+ results.append("\"");
+ }
+@@ -580,7 +581,7 @@ public class FormTag extends TagSupport { + results.append("<div><input type=\"hidden\" name=\"");
+ results.append(Constants.TOKEN_KEY);
+ results.append("\" value=\"");
+- results.append(token);
++ results.append(ResponseUtils.filterIfQuote(token));
+ if (this.isXhtml()) {
+ results.append("\" />");
+ } else {
+@@ -598,10 +599,12 @@ public class FormTag extends TagSupport { + */
+ protected void renderAttribute(StringBuffer results, String attribute, String value) {
+ if (value != null) {
++ if (attribute.indexOf('"') >= 0)
++ throw new IllegalArgumentException("quote character in attribute name");
+ results.append(" ");
+ results.append(attribute);
+ results.append("=\"");
+- results.append(value);
++ results.append(ResponseUtils.filterIfQuote(value));
+ results.append("\"");
+ }
+ }
+diff --git a/src/share/org/apache/struts/taglib/html/HtmlTag.java b/src/share/org/apache/struts/taglib/html/HtmlTag.java +index fb64875..d4da38d 100644 +--- a/src/share/org/apache/struts/taglib/html/HtmlTag.java ++++ b/src/share/org/apache/struts/taglib/html/HtmlTag.java +@@ -29,6 +29,7 @@ import javax.servlet.jsp.tagext.TagSupport; + import org.apache.struts.Globals;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Renders an HTML <html> element with appropriate language attributes if
+@@ -151,20 +152,20 @@ public class HtmlTag extends TagSupport { +
+ if ((this.lang || this.locale || this.xhtml) && validLanguage) {
+ sb.append(" lang=\"");
+- sb.append(language);
++ sb.append(ResponseUtils.filterIfQuote(language));
+ if (validCountry) {
+ sb.append("-");
+- sb.append(country);
++ sb.append(ResponseUtils.filterIfQuote(country));
+ }
+ sb.append("\"");
+ }
+
+ if (this.xhtml && validLanguage) {
+ sb.append(" xml:lang=\"");
+- sb.append(language);
++ sb.append(ResponseUtils.filterIfQuote(language));
+ if (validCountry) {
+ sb.append("-");
+- sb.append(country);
++ sb.append(ResponseUtils.filterIfQuote(country));
+ }
+ sb.append("\"");
+ }
+diff --git a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java +index 77d7dba..5da8317 100644 +--- a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java ++++ b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java +@@ -45,6 +45,7 @@ import org.apache.struts.Globals; + import org.apache.struts.action.ActionMapping;
+ import org.apache.struts.config.ModuleConfig;
+ import org.apache.struts.taglib.TagUtils;
++import org.apache.struts.util.ResponseUtils;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.validator.Resources;
+ import org.apache.struts.validator.ValidatorPlugIn;
+@@ -850,7 +851,7 @@ public class JavascriptValidatorTag extends BodyTagSupport { + }
+
+ if (this.src != null) {
+- start.append(" src=\"" + src + "\"");
++ start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\"");
+ }
+
+ start.append("> \n");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionTag.java b/src/share/org/apache/struts/taglib/html/OptionTag.java +index 4df5c95..e9e4b2e 100644 +--- a/src/share/org/apache/struts/taglib/html/OptionTag.java ++++ b/src/share/org/apache/struts/taglib/html/OptionTag.java +@@ -26,6 +26,7 @@ import javax.servlet.jsp.tagext.BodyTagSupport; + import org.apache.struts.Globals;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Tag for select options. The body of this tag is presented to the user
+@@ -235,7 +236,7 @@ public class OptionTag extends BodyTagSupport { + protected String renderOptionElement() throws JspException {
+ StringBuffer results = new StringBuffer("<option value=\"");
+
+- results.append(this.value);
++ results.append(ResponseUtils.filterIfQuote(this.value));
+ results.append("\"");
+ if (disabled) {
+ results.append(" disabled=\"disabled\"");
+@@ -245,17 +246,17 @@ public class OptionTag extends BodyTagSupport { + }
+ if (style != null) {
+ results.append(" style=\"");
+- results.append(style);
++ results.append(ResponseUtils.filterIfQuote(style));
+ results.append("\"");
+ }
+ if (styleId != null) {
+ results.append(" id=\"");
+- results.append(styleId);
++ results.append(ResponseUtils.filterIfQuote(styleId));
+ results.append("\"");
+ }
+ if (styleClass != null) {
+ results.append(" class=\"");
+- results.append(styleClass);
++ results.append(ResponseUtils.filterIfQuote(styleClass));
+ results.append("\"");
+ }
+ results.append(">");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java +index 9999259..e5ecb66 100644 +--- a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java ++++ b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java +@@ -30,6 +30,7 @@ import javax.servlet.jsp.tagext.TagSupport; +
+ import org.apache.commons.beanutils.PropertyUtils;
+ import org.apache.struts.util.IteratorAdapter;
++import org.apache.struts.util.ResponseUtils;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
+
+@@ -291,7 +292,7 @@ public class OptionsCollectionTag extends TagSupport { + if (filter) {
+ sb.append(TagUtils.getInstance().filter(value));
+ } else {
+- sb.append(value);
++ sb.append(ResponseUtils.filterIfQuote(value));
+ }
+ sb.append("\"");
+ if (matched) {
+@@ -299,12 +300,12 @@ public class OptionsCollectionTag extends TagSupport { + }
+ if (style != null) {
+ sb.append(" style=\"");
+- sb.append(style);
++ sb.append(ResponseUtils.filterIfQuote(style));
+ sb.append("\"");
+ }
+ if (styleClass != null) {
+ sb.append(" class=\"");
+- sb.append(styleClass);
++ sb.append(ResponseUtils.filterIfQuote(styleClass));
+ sb.append("\"");
+ }
+
+@@ -313,7 +314,7 @@ public class OptionsCollectionTag extends TagSupport { + if (filter) {
+ sb.append(TagUtils.getInstance().filter(label));
+ } else {
+- sb.append(label);
++ sb.append(ResponseUtils.filterIfQuote(label));
+ }
+
+ sb.append("</option>\r\n");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionsTag.java b/src/share/org/apache/struts/taglib/html/OptionsTag.java +index 90d716a..dbc14cf 100644 +--- a/src/share/org/apache/struts/taglib/html/OptionsTag.java ++++ b/src/share/org/apache/struts/taglib/html/OptionsTag.java +@@ -32,6 +32,7 @@ import org.apache.commons.beanutils.PropertyUtils; + import org.apache.struts.util.IteratorAdapter;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Tag for creating multiple <select> options from a collection. The
+@@ -313,7 +314,7 @@ public class OptionsTag extends TagSupport { + if (filter) {
+ sb.append(TagUtils.getInstance().filter(value));
+ } else {
+- sb.append(value);
++ sb.append(ResponseUtils.filterIfQuote(value));
+ }
+ sb.append("\"");
+ if (matched) {
+@@ -321,12 +322,12 @@ public class OptionsTag extends TagSupport { + }
+ if (style != null) {
+ sb.append(" style=\"");
+- sb.append(style);
++ sb.append(ResponseUtils.filterIfQuote(style));
+ sb.append("\"");
+ }
+ if (styleClass != null) {
+ sb.append(" class=\"");
+- sb.append(styleClass);
++ sb.append(ResponseUtils.filterIfQuote(styleClass));
+ sb.append("\"");
+ }
+
+@@ -335,7 +336,7 @@ public class OptionsTag extends TagSupport { + if (filter) {
+ sb.append(TagUtils.getInstance().filter(label));
+ } else {
+- sb.append(label);
++ sb.append(ResponseUtils.filterIfQuote(label));
+ }
+
+ sb.append("</option>\r\n");
+diff --git a/src/share/org/apache/struts/taglib/html/RewriteTag.java b/src/share/org/apache/struts/taglib/html/RewriteTag.java +index 804e50c..63a2f03 100644 +--- a/src/share/org/apache/struts/taglib/html/RewriteTag.java ++++ b/src/share/org/apache/struts/taglib/html/RewriteTag.java +@@ -24,6 +24,7 @@ import java.util.Map; + import javax.servlet.jsp.JspException;
+
+ import org.apache.struts.taglib.TagUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Generate a URL-encoded URI as a string.
+@@ -72,7 +73,8 @@ public class RewriteTag extends LinkTag { + (messages.getMessage("rewrite.url", e.toString()));
+ }
+
+- TagUtils.getInstance().write(pageContext, url);
++ TagUtils.getInstance().write(pageContext,
++ ResponseUtils.filterIfQuote(url));
+
+ return (SKIP_BODY);
+
+diff --git a/src/share/org/apache/struts/util/ResponseUtils.java b/src/share/org/apache/struts/util/ResponseUtils.java +index 4588bb2..fe7e517 100644 +--- a/src/share/org/apache/struts/util/ResponseUtils.java ++++ b/src/share/org/apache/struts/util/ResponseUtils.java +@@ -137,6 +137,37 @@ public class ResponseUtils { + }
+
+
++ /**
++ * Replace double-quote characters in the input string with
++ * proper HTML encoding.
++ *
++ * No other HTML-encoding is performed. As a result, the return value
++ * can only be safely used in (X)HTML attributes surrounded by
++ * double-quote characters (<code>"</code>).
++ *
++ * <p>Note that you should not use this function in new code.
++ * It is only intended for old code which needs to be
++ * backwards-compatible with incompletely-quoted attributes.
++ *
++ * @return a fresh string object if quoting is needed,
++ * otherwise the input string
++ */
++ public static String filterIfQuote(String value) {
++ if (value == null)
++ return null;
++ if (value.indexOf('"') >= 0) {
++ StringBuffer sb = new StringBuffer(value.length() + 2);
++ for (int i = 0; i < value.length(); ++i) {
++ final char ch = value.charAt(i);
++ if (ch == '"')
++ sb.append(""");
++ else
++ sb.append(ch);
++ }
++ return sb.toString();
++ }
++ return value;
++ }
+
+
+ /**
diff --git a/dev-java/struts/struts-1.2.9-r3.ebuild b/dev-java/struts/struts-1.2.9-r3.ebuild new file mode 100644 index 000000000000..cb6aa67c16fa --- /dev/null +++ b/dev-java/struts/struts-1.2.9-r3.ebuild @@ -0,0 +1,84 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-java/struts/struts-1.2.9-r3.ebuild,v 1.1 2009/08/24 08:12:12 a3li Exp $ + +EAPI="2" +JAVA_PKG_IUSE="doc examples source" +WANT_ANT_TASKS="ant-trax" + +inherit java-pkg-2 java-ant-2 + +MY_P="${P}-src" +DESCRIPTION="A powerful Model View Controller Framework for JSP/Servlets" +SRC_URI="mirror://apache/struts/source/${MY_P}.tar.gz" +HOMEPAGE="http://jakarta.apache.org/struts/index.html" +LICENSE="Apache-2.0" +SLOT="1.2" +COMMON_DEPS=" + >=dev-java/antlr-2.7.7:0[java] + dev-java/commons-beanutils:1.7 + >=dev-java/commons-collections-2.1:0 + >=dev-java/commons-digester-1.5:0 + >=dev-java/commons-fileupload-1.0:0 + >=dev-java/commons-logging-1.0.4:0 + >=dev-java/commons-validator-1.1.4:0 + dev-java/jakarta-oro:2.0 + java-virtuals/servlet-api:2.3" +RDEPEND=">=virtual/jre-1.4 + ${COMMON_DEPS}" +DEPEND=">=virtual/jdk-1.4 + ${COMMON_DEPS}" +IUSE="" +KEYWORDS="~amd64 ~ppc ~x86 ~x86-fbsd" + +S="${WORKDIR}/${MY_P}" + +src_prepare() { + epatch "${FILESDIR}/${PN}-CVE-2008-2025.patch" + + java_prepare +} + +java_prepare() { + # the build.xml expects this directory to exist + mkdir "${S}/lib" + cd "${S}/lib" + + # No property exists for this + java-pkg_jar-from commons-collections +} + +src_compile() { + local antflags="compile.library" + + # In the order the build process asks for these + # They are copied in the build.xml to ${S}/target/library/ + antflags="${antflags} -Dcommons-beanutils.jar=$(java-pkg_getjar commons-beanutils-1.7 commons-beanutils.jar)" + antflags="${antflags} -Dcommons-digester.jar=$(java-pkg_getjars commons-digester)" + antflags="${antflags} -Dcommons-fileupload.jar=$(java-pkg_getjars commons-fileupload)" + antflags="${antflags} -Dcommons-logging.jar=$(java-pkg_getjar commons-logging commons-logging.jar)" + antflags="${antflags} -Dcommons-validator.jar=$(java-pkg_getjars commons-validator)" + antflags="${antflags} -Djakarta-oro.jar=$(java-pkg_getjars jakarta-oro-2.0)" + + # Needed to compile + antflags="${antflags} -Dservlet.jar=$(java-pkg_getjars servlet-api-2.3)" + antflags="${antflags} -Dantlr.jar=$(java-pkg_getjars antlr)" + + # only needed for contrib stuff which we don't currently build +# antflags="${antflags} -Dstruts-legacy.jar=$(java-pkg_getjars struts-legacy)" + + eant ${antflags} $(use_doc compile.javadoc) +} + +src_install() { + java-pkg_dojar target/library/${PN}.jar + + #install the tld files + insinto /usr/share/${PN}-${SLOT}/lib + doins target/library/*.tld + + dodoc README STATUS.txt || die + use doc && java-pkg_dohtml -r target/documentation/ + use examples && java-pkg_doexamples src/example* + use source && java-pkg_dosrc src/share/* +} |