Improve patch for WebDAV issue.

author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Mon, 22 Oct 2007 13:19:05 +0000 (13:19 +0000)

committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>

Mon, 22 Oct 2007 13:19:05 +0000 (13:19 +0000)
author markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Mon, 22 Oct 2007 13:19:05 +0000 (13:19 +0000)
committer markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Mon, 22 Oct 2007 13:19:05 +0000 (13:19 +0000)
diff --git a/STATUS b/STATUS

index e7fd24f..7d33410 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -37,12 +37,6 @@ PATCHES PROPOSED TO BACKPORT:
    +1: fhanik
    -1: 
  
-* Improve fix for webdav vulnerability to workaround what looks like a parser
-  bug
-  http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
-  +1: markt,fhanik, remm
-  -1:
-
  * Fix possible DoS condition for the experimental NIO/AJP module (reported by William Leung via email)
    http://issues.apache.org/bugzilla/show_bug.cgi?id=43621
    +1: billbarker,fhanik
diff --git a/java/org/apache/catalina/servlets/LocalStrings.properties b/java/org/apache/catalina/servlets/LocalStrings.properties

index 3533783..a97b32c 100644 (file)
--- a/java/org/apache/catalina/servlets/LocalStrings.properties
+++ b/java/org/apache/catalina/servlets/LocalStrings.properties
@@ -25,6 +25,7 @@ invokerServlet.invalidPath=No servlet name or class was specified in path {0}
  invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
  invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
  webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
  directory.filename=Filename
  directory.lastModified=Last Modified
  directory.parent=Up To {0}
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java

index 521c646..d451e9c 100644 (file)
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -20,6 +20,7 @@ package org.apache.catalina.servlets;
  
  
  import java.io.IOException;
+import java.io.StringReader;
  import java.io.StringWriter;
  import java.io.Writer;
  import java.security.MessageDigest;
@@ -36,6 +37,7 @@ import javax.naming.NameClassPair;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
  import javax.servlet.ServletException;
  import javax.servlet.UnavailableException;
  import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@ import org.w3c.dom.Document;
  import org.w3c.dom.Element;
  import org.w3c.dom.Node;
  import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
  import org.xml.sax.InputSource;
  import org.xml.sax.SAXException;
  
@@ -245,6 +248,8 @@ public class WebdavServlet
              documentBuilderFactory.setNamespaceAware(true);
              documentBuilderFactory.setExpandEntityReferences(false);
              documentBuilder = documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(
+                    new WebdavResolver(this.getServletContext()));
          } catch(ParserConfigurationException e) {
              throw new ServletException
                  (sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@ public class WebdavServlet
      }
  
  
+    // --------------------------------------------- WebdavResolver Inner Class
+    /**
+     * Work around for XML parsers that don't fully respect
+     * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+     * references are filtered out for security reasons. See CVE-2007-5461.
+     */
+    private class WebdavResolver implements EntityResolver {
+        private ServletContext context;
+        
+        public WebdavResolver(ServletContext theContext) {
+            context = theContext;
+        }
+     
+        public InputSource resolveEntity (String publicId, String systemId) {
+            context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+                    publicId, systemId));
+            return new InputSource(
+                    new StringReader("Ignored external entity"));
+        }
+    }
  };
  
  
@@ -3101,3 +3126,4 @@ class WebdavStatus {
  
  };
  
+
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml

index 6979acc..035b89c 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -172,7 +172,7 @@
        </fix>
        <fix>
          Fix CVE-2007-5461, an important information disclosure vulnerability in
-        the WebDAV Servlet. (markt)
+        the WebDAV Servlet. Based on a patch by Marc Schoenefeld. (markt)
        </fix>
        <fix>
          <bug>42979</bug>: Update sample.war to include recent security fixes
author	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Mon, 22 Oct 2007 13:19:05 +0000 (13:19 +0000)
committer	markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
	Mon, 22 Oct 2007 13:19:05 +0000 (13:19 +0000)
STATUS		patch \| blob \| history
java/org/apache/catalina/servlets/LocalStrings.properties		patch \| blob \| history
java/org/apache/catalina/servlets/WebdavServlet.java		patch \| blob \| history
webapps/docs/changelog.xml		patch \| blob \| history