summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Legler <a3li@gentoo.org>2009-08-24 08:12:12 +0000
committerAlex Legler <a3li@gentoo.org>2009-08-24 08:12:12 +0000
commit4e6a35245845cb78455ad73e2074cf6fd77ec077 (patch)
treef67ccdadf55df54c166246bd76c027bca3aacb22
parentavoid collision with descent1-demodata (diff)
downloadgentoo-2-4e6a35245845cb78455ad73e2074cf6fd77ec077.tar.gz
gentoo-2-4e6a35245845cb78455ad73e2074cf6fd77ec077.tar.bz2
gentoo-2-4e6a35245845cb78455ad73e2074cf6fd77ec077.zip
Non-maintainer commit: Revbump to fix security bug 267081 (CVE-2008-2025).
(Portage version: 2.2_rc33/cvs/Linux x86_64)
-rw-r--r--dev-java/struts/ChangeLog10
-rw-r--r--dev-java/struts/files/struts-CVE-2008-2025.patch328
-rw-r--r--dev-java/struts/struts-1.2.9-r3.ebuild84
3 files changed, 420 insertions, 2 deletions
diff --git a/dev-java/struts/ChangeLog b/dev-java/struts/ChangeLog
index 2ff2718bf3db..2dbab1e224be 100644
--- a/dev-java/struts/ChangeLog
+++ b/dev-java/struts/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for dev-java/struts
-# Copyright 2000-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-java/struts/ChangeLog,v 1.44 2009/03/29 17:03:50 betelgeuse Exp $
+# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/dev-java/struts/ChangeLog,v 1.45 2009/08/24 08:12:12 a3li Exp $
+
+*struts-1.2.9-r3 (24 Aug 2009)
+
+ 24 Aug 2009; Alex Legler <a3li@gentoo.org> +struts-1.2.9-r3.ebuild,
+ +files/struts-CVE-2008-2025.patch:
+ Non-maintainer commit: Revbump to fix security bug 267081 (CVE-2008-2025).
29 Mar 2009; Petteri Räty <betelgeuse@gentoo.org> struts-1.2.9-r2.ebuild:
Migrate to EAPI 2 for bug #239835.
diff --git a/dev-java/struts/files/struts-CVE-2008-2025.patch b/dev-java/struts/files/struts-CVE-2008-2025.patch
new file mode 100644
index 000000000000..4b0d7ebd7222
--- /dev/null
+++ b/dev-java/struts/files/struts-CVE-2008-2025.patch
@@ -0,0 +1,328 @@
+diff --git a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
+index 403ff97..386ccf3 100644
+--- a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
++++ b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
+@@ -35,6 +35,7 @@ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.taglib.logic.IterateTag;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.util.RequestUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Base class for tags that render form elements capable of including JavaScript
+@@ -898,10 +899,12 @@ public abstract class BaseHandlerTag extends BodyTagSupport {
+ */
+ protected void prepareAttribute(StringBuffer handlers, String name, Object value) {
+ if (value != null) {
++ if (name.indexOf('"') >= 0)
++ throw new IllegalArgumentException("quote character in attribute name");
+ handlers.append(" ");
+ handlers.append(name);
+ handlers.append("=\"");
+- handlers.append(value);
++ handlers.append(ResponseUtils.filterIfQuote(value.toString()));
+ handlers.append("\"");
+ }
+ }
+diff --git a/src/share/org/apache/struts/taglib/html/FormTag.java b/src/share/org/apache/struts/taglib/html/FormTag.java
+index e8eb9b4..ba2d782 100644
+--- a/src/share/org/apache/struts/taglib/html/FormTag.java
++++ b/src/share/org/apache/struts/taglib/html/FormTag.java
+@@ -37,6 +37,7 @@ import org.apache.struts.config.ModuleConfig;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.util.RequestUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Custom tag that represents an input form, associated with a bean whose
+@@ -547,10 +548,10 @@ public class FormTag extends TagSupport {
+
+ results.append(" action=\"");
+ results.append(
+- response.encodeURL(
++ ResponseUtils.filterIfQuote(response.encodeURL(
+ TagUtils.getInstance().getActionMappingURL(
+ this.action,
+- this.pageContext)));
++ this.pageContext))));
+
+ results.append("\"");
+ }
+@@ -580,7 +581,7 @@ public class FormTag extends TagSupport {
+ results.append("<div><input type=\"hidden\" name=\"");
+ results.append(Constants.TOKEN_KEY);
+ results.append("\" value=\"");
+- results.append(token);
++ results.append(ResponseUtils.filterIfQuote(token));
+ if (this.isXhtml()) {
+ results.append("\" />");
+ } else {
+@@ -598,10 +599,12 @@ public class FormTag extends TagSupport {
+ */
+ protected void renderAttribute(StringBuffer results, String attribute, String value) {
+ if (value != null) {
++ if (attribute.indexOf('"') >= 0)
++ throw new IllegalArgumentException("quote character in attribute name");
+ results.append(" ");
+ results.append(attribute);
+ results.append("=\"");
+- results.append(value);
++ results.append(ResponseUtils.filterIfQuote(value));
+ results.append("\"");
+ }
+ }
+diff --git a/src/share/org/apache/struts/taglib/html/HtmlTag.java b/src/share/org/apache/struts/taglib/html/HtmlTag.java
+index fb64875..d4da38d 100644
+--- a/src/share/org/apache/struts/taglib/html/HtmlTag.java
++++ b/src/share/org/apache/struts/taglib/html/HtmlTag.java
+@@ -29,6 +29,7 @@ import javax.servlet.jsp.tagext.TagSupport;
+ import org.apache.struts.Globals;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Renders an HTML <html> element with appropriate language attributes if
+@@ -151,20 +152,20 @@ public class HtmlTag extends TagSupport {
+
+ if ((this.lang || this.locale || this.xhtml) && validLanguage) {
+ sb.append(" lang=\"");
+- sb.append(language);
++ sb.append(ResponseUtils.filterIfQuote(language));
+ if (validCountry) {
+ sb.append("-");
+- sb.append(country);
++ sb.append(ResponseUtils.filterIfQuote(country));
+ }
+ sb.append("\"");
+ }
+
+ if (this.xhtml && validLanguage) {
+ sb.append(" xml:lang=\"");
+- sb.append(language);
++ sb.append(ResponseUtils.filterIfQuote(language));
+ if (validCountry) {
+ sb.append("-");
+- sb.append(country);
++ sb.append(ResponseUtils.filterIfQuote(country));
+ }
+ sb.append("\"");
+ }
+diff --git a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
+index 77d7dba..5da8317 100644
+--- a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
++++ b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
+@@ -45,6 +45,7 @@ import org.apache.struts.Globals;
+ import org.apache.struts.action.ActionMapping;
+ import org.apache.struts.config.ModuleConfig;
+ import org.apache.struts.taglib.TagUtils;
++import org.apache.struts.util.ResponseUtils;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.validator.Resources;
+ import org.apache.struts.validator.ValidatorPlugIn;
+@@ -850,7 +851,7 @@ public class JavascriptValidatorTag extends BodyTagSupport {
+ }
+
+ if (this.src != null) {
+- start.append(" src=\"" + src + "\"");
++ start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\"");
+ }
+
+ start.append("> \n");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionTag.java b/src/share/org/apache/struts/taglib/html/OptionTag.java
+index 4df5c95..e9e4b2e 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionTag.java
+@@ -26,6 +26,7 @@ import javax.servlet.jsp.tagext.BodyTagSupport;
+ import org.apache.struts.Globals;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Tag for select options. The body of this tag is presented to the user
+@@ -235,7 +236,7 @@ public class OptionTag extends BodyTagSupport {
+ protected String renderOptionElement() throws JspException {
+ StringBuffer results = new StringBuffer("<option value=\"");
+
+- results.append(this.value);
++ results.append(ResponseUtils.filterIfQuote(this.value));
+ results.append("\"");
+ if (disabled) {
+ results.append(" disabled=\"disabled\"");
+@@ -245,17 +246,17 @@ public class OptionTag extends BodyTagSupport {
+ }
+ if (style != null) {
+ results.append(" style=\"");
+- results.append(style);
++ results.append(ResponseUtils.filterIfQuote(style));
+ results.append("\"");
+ }
+ if (styleId != null) {
+ results.append(" id=\"");
+- results.append(styleId);
++ results.append(ResponseUtils.filterIfQuote(styleId));
+ results.append("\"");
+ }
+ if (styleClass != null) {
+ results.append(" class=\"");
+- results.append(styleClass);
++ results.append(ResponseUtils.filterIfQuote(styleClass));
+ results.append("\"");
+ }
+ results.append(">");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
+index 9999259..e5ecb66 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
+@@ -30,6 +30,7 @@ import javax.servlet.jsp.tagext.TagSupport;
+
+ import org.apache.commons.beanutils.PropertyUtils;
+ import org.apache.struts.util.IteratorAdapter;
++import org.apache.struts.util.ResponseUtils;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
+
+@@ -291,7 +292,7 @@ public class OptionsCollectionTag extends TagSupport {
+ if (filter) {
+ sb.append(TagUtils.getInstance().filter(value));
+ } else {
+- sb.append(value);
++ sb.append(ResponseUtils.filterIfQuote(value));
+ }
+ sb.append("\"");
+ if (matched) {
+@@ -299,12 +300,12 @@ public class OptionsCollectionTag extends TagSupport {
+ }
+ if (style != null) {
+ sb.append(" style=\"");
+- sb.append(style);
++ sb.append(ResponseUtils.filterIfQuote(style));
+ sb.append("\"");
+ }
+ if (styleClass != null) {
+ sb.append(" class=\"");
+- sb.append(styleClass);
++ sb.append(ResponseUtils.filterIfQuote(styleClass));
+ sb.append("\"");
+ }
+
+@@ -313,7 +314,7 @@ public class OptionsCollectionTag extends TagSupport {
+ if (filter) {
+ sb.append(TagUtils.getInstance().filter(label));
+ } else {
+- sb.append(label);
++ sb.append(ResponseUtils.filterIfQuote(label));
+ }
+
+ sb.append("</option>\r\n");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionsTag.java b/src/share/org/apache/struts/taglib/html/OptionsTag.java
+index 90d716a..dbc14cf 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionsTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionsTag.java
+@@ -32,6 +32,7 @@ import org.apache.commons.beanutils.PropertyUtils;
+ import org.apache.struts.util.IteratorAdapter;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Tag for creating multiple &lt;select&gt; options from a collection. The
+@@ -313,7 +314,7 @@ public class OptionsTag extends TagSupport {
+ if (filter) {
+ sb.append(TagUtils.getInstance().filter(value));
+ } else {
+- sb.append(value);
++ sb.append(ResponseUtils.filterIfQuote(value));
+ }
+ sb.append("\"");
+ if (matched) {
+@@ -321,12 +322,12 @@ public class OptionsTag extends TagSupport {
+ }
+ if (style != null) {
+ sb.append(" style=\"");
+- sb.append(style);
++ sb.append(ResponseUtils.filterIfQuote(style));
+ sb.append("\"");
+ }
+ if (styleClass != null) {
+ sb.append(" class=\"");
+- sb.append(styleClass);
++ sb.append(ResponseUtils.filterIfQuote(styleClass));
+ sb.append("\"");
+ }
+
+@@ -335,7 +336,7 @@ public class OptionsTag extends TagSupport {
+ if (filter) {
+ sb.append(TagUtils.getInstance().filter(label));
+ } else {
+- sb.append(label);
++ sb.append(ResponseUtils.filterIfQuote(label));
+ }
+
+ sb.append("</option>\r\n");
+diff --git a/src/share/org/apache/struts/taglib/html/RewriteTag.java b/src/share/org/apache/struts/taglib/html/RewriteTag.java
+index 804e50c..63a2f03 100644
+--- a/src/share/org/apache/struts/taglib/html/RewriteTag.java
++++ b/src/share/org/apache/struts/taglib/html/RewriteTag.java
+@@ -24,6 +24,7 @@ import java.util.Map;
+ import javax.servlet.jsp.JspException;
+
+ import org.apache.struts.taglib.TagUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Generate a URL-encoded URI as a string.
+@@ -72,7 +73,8 @@ public class RewriteTag extends LinkTag {
+ (messages.getMessage("rewrite.url", e.toString()));
+ }
+
+- TagUtils.getInstance().write(pageContext, url);
++ TagUtils.getInstance().write(pageContext,
++ ResponseUtils.filterIfQuote(url));
+
+ return (SKIP_BODY);
+
+diff --git a/src/share/org/apache/struts/util/ResponseUtils.java b/src/share/org/apache/struts/util/ResponseUtils.java
+index 4588bb2..fe7e517 100644
+--- a/src/share/org/apache/struts/util/ResponseUtils.java
++++ b/src/share/org/apache/struts/util/ResponseUtils.java
+@@ -137,6 +137,37 @@ public class ResponseUtils {
+ }
+
+
++ /**
++ * Replace double-quote characters in the input string with
++ * proper HTML encoding.
++ *
++ * No other HTML-encoding is performed. As a result, the return value
++ * can only be safely used in (X)HTML attributes surrounded by
++ * double-quote characters (<code>"</code>).
++ *
++ * <p>Note that you should not use this function in new code.
++ * It is only intended for old code which needs to be
++ * backwards-compatible with incompletely-quoted attributes.
++ *
++ * @return a fresh string object if quoting is needed,
++ * otherwise the input string
++ */
++ public static String filterIfQuote(String value) {
++ if (value == null)
++ return null;
++ if (value.indexOf('"') >= 0) {
++ StringBuffer sb = new StringBuffer(value.length() + 2);
++ for (int i = 0; i < value.length(); ++i) {
++ final char ch = value.charAt(i);
++ if (ch == '"')
++ sb.append("&quot;");
++ else
++ sb.append(ch);
++ }
++ return sb.toString();
++ }
++ return value;
++ }
+
+
+ /**
diff --git a/dev-java/struts/struts-1.2.9-r3.ebuild b/dev-java/struts/struts-1.2.9-r3.ebuild
new file mode 100644
index 000000000000..cb6aa67c16fa
--- /dev/null
+++ b/dev-java/struts/struts-1.2.9-r3.ebuild
@@ -0,0 +1,84 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-java/struts/struts-1.2.9-r3.ebuild,v 1.1 2009/08/24 08:12:12 a3li Exp $
+
+EAPI="2"
+JAVA_PKG_IUSE="doc examples source"
+WANT_ANT_TASKS="ant-trax"
+
+inherit java-pkg-2 java-ant-2
+
+MY_P="${P}-src"
+DESCRIPTION="A powerful Model View Controller Framework for JSP/Servlets"
+SRC_URI="mirror://apache/struts/source/${MY_P}.tar.gz"
+HOMEPAGE="http://jakarta.apache.org/struts/index.html"
+LICENSE="Apache-2.0"
+SLOT="1.2"
+COMMON_DEPS="
+ >=dev-java/antlr-2.7.7:0[java]
+ dev-java/commons-beanutils:1.7
+ >=dev-java/commons-collections-2.1:0
+ >=dev-java/commons-digester-1.5:0
+ >=dev-java/commons-fileupload-1.0:0
+ >=dev-java/commons-logging-1.0.4:0
+ >=dev-java/commons-validator-1.1.4:0
+ dev-java/jakarta-oro:2.0
+ java-virtuals/servlet-api:2.3"
+RDEPEND=">=virtual/jre-1.4
+ ${COMMON_DEPS}"
+DEPEND=">=virtual/jdk-1.4
+ ${COMMON_DEPS}"
+IUSE=""
+KEYWORDS="~amd64 ~ppc ~x86 ~x86-fbsd"
+
+S="${WORKDIR}/${MY_P}"
+
+src_prepare() {
+ epatch "${FILESDIR}/${PN}-CVE-2008-2025.patch"
+
+ java_prepare
+}
+
+java_prepare() {
+ # the build.xml expects this directory to exist
+ mkdir "${S}/lib"
+ cd "${S}/lib"
+
+ # No property exists for this
+ java-pkg_jar-from commons-collections
+}
+
+src_compile() {
+ local antflags="compile.library"
+
+ # In the order the build process asks for these
+ # They are copied in the build.xml to ${S}/target/library/
+ antflags="${antflags} -Dcommons-beanutils.jar=$(java-pkg_getjar commons-beanutils-1.7 commons-beanutils.jar)"
+ antflags="${antflags} -Dcommons-digester.jar=$(java-pkg_getjars commons-digester)"
+ antflags="${antflags} -Dcommons-fileupload.jar=$(java-pkg_getjars commons-fileupload)"
+ antflags="${antflags} -Dcommons-logging.jar=$(java-pkg_getjar commons-logging commons-logging.jar)"
+ antflags="${antflags} -Dcommons-validator.jar=$(java-pkg_getjars commons-validator)"
+ antflags="${antflags} -Djakarta-oro.jar=$(java-pkg_getjars jakarta-oro-2.0)"
+
+ # Needed to compile
+ antflags="${antflags} -Dservlet.jar=$(java-pkg_getjars servlet-api-2.3)"
+ antflags="${antflags} -Dantlr.jar=$(java-pkg_getjars antlr)"
+
+ # only needed for contrib stuff which we don't currently build
+# antflags="${antflags} -Dstruts-legacy.jar=$(java-pkg_getjars struts-legacy)"
+
+ eant ${antflags} $(use_doc compile.javadoc)
+}
+
+src_install() {
+ java-pkg_dojar target/library/${PN}.jar
+
+ #install the tld files
+ insinto /usr/share/${PN}-${SLOT}/lib
+ doins target/library/*.tld
+
+ dodoc README STATUS.txt || die
+ use doc && java-pkg_dohtml -r target/documentation/
+ use examples && java-pkg_doexamples src/example*
+ use source && java-pkg_dosrc src/share/*
+}