File apache-tomcat-CVE-2007-5333.patch of Package tomcat55

Overview Repositories Revisions Requests Users Attributes Meta

File apache-tomcat-CVE-2007-5333.patch of Package tomcat55

--- apache-tomcat-5.5.23-src/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
+++ apache-tomcat-5.5.23-src/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
@@ -376,14 +376,20 @@
                 }
             }
             try {
-                Cookie cookie = new Cookie(scookie.getName().toString(),
-                                           scookie.getValue().toString());
-                cookie.setPath(scookie.getPath().toString());
-                cookie.setVersion(scookie.getVersion());
+                // CVE-2007-5333 (bnc#360502)
+                /*
+                we must unescape the '\\' escape character
+                */
+                Cookie cookie = new Cookie(scookie.getName().toString(), null);
+                int version = scookie.getVersion();
+                cookie.setVersion(version);
+                cookie.setValue(unescape(scookie.getValue().toString()));
+                cookie.setPath(unescape(scookie.getPath().toString()));
                 String domain = scookie.getDomain().toString();
-                if (domain != null) {
-                    cookie.setDomain(scookie.getDomain().toString());
-                }
+                // CVE-2007-5333 (bnc#360502)
+                if (domain != null) cookie.setDomain(unescape(domain));
+                String comment = scookie.getComment().toString();
+                cookie.setComment(version==1?unescape(comment):null);
                 cookies[idx++] = cookie;
             } catch(Exception ex) {
                 log("Bad Cookie Name: " + scookie.getName() + 
@@ -400,6 +406,23 @@
 
     }
 
+    protected String unescape(String s) {
+        if (s==null) return null;
+        if (s.indexOf('\\') == -1) return s;
+        StringBuffer buf = new StringBuffer();
+        for (int i=0; i<s.length(); i++) {
+            char c = s.charAt(i);
+            if (c!='\\') buf.append(c);
+            else {
+                if (++i >= s.length()) throw new IllegalArgumentException();//invalid escape, hence invalid cookie
+                c = s.charAt(i);
+                buf.append(c);
+            }
+        }
+        return buf.toString();
+    }
+    
+    
 
     /**
      * Return a context-relative path, beginning with a "/", that represents
--- apache-tomcat-5.5.23-src/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java
+++ apache-tomcat-5.5.23-src/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteResponse.java
@@ -796,18 +796,20 @@
         if (included)
             return;
 
-        cookies.add(cookie);
-
         StringBuffer sb = new StringBuffer();
+        // CVE-2007-5333 (bnc#360205)
+        //web application code can receive a IllegalArgumentException 
+        //from the appendCookieValue invokation
         ServerCookie.appendCookieValue
             (sb, cookie.getVersion(), cookie.getName(), cookie.getValue(),
              cookie.getPath(), cookie.getDomain(), cookie.getComment(), 
              cookie.getMaxAge(), cookie.getSecure());
+        // if we reached here, no exception, cookie is valid
         // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
         // RFC2965 is not supported by browsers and the Servlet spec
         // asks for 2109.
         addHeader("Set-Cookie", sb.toString());
-
+        cookies.add(cookie);
     }

Places

File apache-tomcat-CVE-2007-5333.patch of Package tomcat55

Places