From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Mon, 22 Oct 2007 13:19:05 +0000 (+0000)
Subject: Improve patch for WebDAV issue.
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=05f852b6a3c946e668fcc63af8c665d77eb12c12;p=tomcat7.0

Improve patch for WebDAV issue.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk@587082 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index e7fd24f44..7d3341067 100644
--- a/STATUS
+++ b/STATUS
@@ -37,12 +37,6 @@ PATCHES PROPOSED TO BACKPORT:
   +1: fhanik
   -1: 
 
-* Improve fix for webdav vulnerability to workaround what looks like a parser
-  bug
-  http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
-  +1: markt,fhanik, remm
-  -1:
-
 * Fix possible DoS condition for the experimental NIO/AJP module (reported by William Leung via email)
   http://issues.apache.org/bugzilla/show_bug.cgi?id=43621
   +1: billbarker,fhanik
diff --git a/java/org/apache/catalina/servlets/LocalStrings.properties b/java/org/apache/catalina/servlets/LocalStrings.properties
index 35337831d..a97b32ce1 100644
--- a/java/org/apache/catalina/servlets/LocalStrings.properties
+++ b/java/org/apache/catalina/servlets/LocalStrings.properties
@@ -25,6 +25,7 @@ invokerServlet.invalidPath=No servlet name or class was specified in path {0}
 invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
 invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
 webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
 directory.filename=Filename
 directory.lastModified=Last Modified
 directory.parent=Up To {0}
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java
index 521c646df..d451e9c9f 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -20,6 +20,7 @@ package org.apache.catalina.servlets;
 
 
 import java.io.IOException;
+import java.io.StringReader;
 import java.io.StringWriter;
 import java.io.Writer;
 import java.security.MessageDigest;
@@ -36,6 +37,7 @@ import javax.naming.NameClassPair;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.UnavailableException;
 import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -245,6 +248,8 @@ public class WebdavServlet
             documentBuilderFactory.setNamespaceAware(true);
             documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder = documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(
+                    new WebdavResolver(this.getServletContext()));
         } catch(ParserConfigurationException e) {
             throw new ServletException
                 (sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@ public class WebdavServlet
     }
 
 
+    // --------------------------------------------- WebdavResolver Inner Class
+    /**
+     * Work around for XML parsers that don't fully respect
+     * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+     * references are filtered out for security reasons. See CVE-2007-5461.
+     */
+    private class WebdavResolver implements EntityResolver {
+        private ServletContext context;
+        
+        public WebdavResolver(ServletContext theContext) {
+            context = theContext;
+        }
+     
+        public InputSource resolveEntity (String publicId, String systemId) {
+            context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+                    publicId, systemId));
+            return new InputSource(
+                    new StringReader("Ignored external entity"));
+        }
+    }
 };
 
 
@@ -3101,3 +3126,4 @@ class WebdavStatus {
 
 };
 
+
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6979accb5..035b89c38 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -172,7 +172,7 @@
       </fix>
       <fix>
         Fix CVE-2007-5461, an important information disclosure vulnerability in
-        the WebDAV Servlet. (markt)
+        the WebDAV Servlet. Based on a patch by Marc Schoenefeld. (markt)
       </fix>
       <fix>
         <bug>42979</bug>: Update sample.war to include recent security fixes