- merged DEVEL

[packages/tomcat.git] / tomcat-CVE-2008-5515.patch

Index: container/catalina/src/share/org/apache/naming/resources/FileDirContext.java
===================================================================
--- container/catalina/src/share/org/apache/naming/resources/FileDirContext.java        (wersja 782756)
+++ container/catalina/src/share/org/apache/naming/resources/FileDirContext.java        (wersja 782757)
@@ -37,6 +37,7 @@
 import javax.naming.directory.ModificationItem;
 import javax.naming.directory.SearchControls;
 
+import org.apache.catalina.util.RequestUtil;
 import org.apache.naming.NamingContextBindingsEnumeration;
 import org.apache.naming.NamingContextEnumeration;
 import org.apache.naming.NamingEntry;
@@ -773,50 +774,10 @@
      */
     protected String normalize(String path) {
 
-    String normalized = path;
+        return RequestUtil.normalize(path, File.separatorChar == '\\');
 
-    // Normalize the slashes and add leading slash if necessary
-    if (File.separatorChar == '\\' && normalized.indexOf('\\') >= 0)
-        normalized = normalized.replace('\\', '/');
-    if (!normalized.startsWith("/"))
-        normalized = "/" + normalized;
-
-    // Resolve occurrences of "//" in the normalized path
-    while (true) {
-        int index = normalized.indexOf("//");
-        if (index < 0)
-        break;
-        normalized = normalized.substring(0, index) +
-        normalized.substring(index + 1);
     }
 
-    // Resolve occurrences of "/./" in the normalized path
-    while (true) {
-        int index = normalized.indexOf("/./");
-        if (index < 0)
-        break;
-        normalized = normalized.substring(0, index) +
-        normalized.substring(index + 2);
-    }
-
-    // Resolve occurrences of "/../" in the normalized path
-    while (true) {
-        int index = normalized.indexOf("/../");
-        if (index < 0)
-        break;
-        if (index == 0)
-        return (null);  // Trying to go outside our context
-        int index2 = normalized.lastIndexOf('/', index - 1);
-        normalized = normalized.substring(0, index2) +
-        normalized.substring(index + 3);
-    }
-
-    // Return the normalized path that we have completed
-    return (normalized);
-
-    }
-
-
     /**
      * Return a File object representing the specified normalized
      * context-relative path if it exists and is readable.  Otherwise,
Index: container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java   (wersja 782756)
+++ container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java   (wersja 782757)
@@ -318,10 +318,9 @@
         int pos = requestPath.lastIndexOf('/');
         String relative = null;
         if (pos >= 0) {
-            relative = RequestUtil.normalize
-                (requestPath.substring(0, pos + 1) + path);
+            relative = requestPath.substring(0, pos + 1) + path;
         } else {
-            relative = RequestUtil.normalize(requestPath + path);
+            relative = requestPath + path;
         }
 
         return (context.getServletContext().getRequestDispatcher(relative));
Index: container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java       (wersja 782756)
+++ container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java       (wersja 782757)
@@ -43,6 +43,7 @@
 import org.apache.catalina.Wrapper;
 import org.apache.catalina.deploy.ApplicationParameter;
 import org.apache.catalina.util.Enumerator;
+import org.apache.catalina.util.RequestUtil;
 import org.apache.catalina.util.ResourceSet;
 import org.apache.catalina.util.ServerInfo;
 import org.apache.catalina.util.StringManager;
@@ -388,7 +389,7 @@
             path = path.substring(0, pos); 
         }
  
-        path = normalize(path);
+        path = RequestUtil.normalize(path);
         if (path == null)
             return (null);
 
@@ -475,7 +476,7 @@
             throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path));
         }
         
-        path = normalize(path);
+        path = RequestUtil.normalize(path);
         if (path == null)
             return (null);
 
@@ -524,10 +525,13 @@
      */
     public InputStream getResourceAsStream(String path) {
 
-        path = normalize(path);
         if (path == null || !path.startsWith("/"))
             return (null);
 
+        path = RequestUtil.normalize(path);
+        if (path == null)
+            return null;
+
         DirContext resources = context.getResources();
         if (resources != null) {
             try {
@@ -560,7 +564,7 @@
                 (sm.getString("applicationContext.resourcePaths.iae", path));
         }
 
-        path = normalize(path);
+        path = RequestUtil.normalize(path);
         if (path == null)
             return (null);
 
@@ -870,45 +874,6 @@
 
 
     /**
-     * Return a context-relative path, beginning with a "/", that represents
-     * the canonical version of the specified path after ".." and "." elements
-     * are resolved out.  If the specified path attempts to go outside the
-     * boundaries of the current context (i.e. too many ".." path elements
-     * are present), return <code>null</code> instead.
-     *
-     * @param path Path to be normalized
-     */
-    private String normalize(String path) {
-
-        if (path == null) {
-            return null;
-        }
-
-        String normalized = path;
-
-        // Normalize the slashes
-        if (normalized.indexOf('\\') >= 0)
-            normalized = normalized.replace('\\', '/');
-
-        // Resolve occurrences of "/../" in the normalized path
-        while (true) {
-            int index = normalized.indexOf("/../");
-            if (index < 0)
-                break;
-            if (index == 0)
-                return (null);  // Trying to go outside our context
-            int index2 = normalized.lastIndexOf('/', index - 1);
-            normalized = normalized.substring(0, index2) +
-                normalized.substring(index + 3);
-        }
-
-        // Return the normalized path that we have completed
-        return (normalized);
-
-    }
-
-
-    /**
      * Merge the context initialization parameters specified in the application
      * deployment descriptor with the application parameters described in the
      * server configuration, respecting the <code>override</code> property of
Index: container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java        (wersja 782756)
+++ container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java        (wersja 782757)
@@ -1369,76 +1369,6 @@
         resp.setStatus(WebdavStatus.SC_NO_CONTENT);
     }
 
-    /**
-     * Return a context-relative path, beginning with a "/", that represents
-     * the canonical version of the specified path after ".." and "." elements
-     * are resolved out.  If the specified path attempts to go outside the
-     * boundaries of the current context (i.e. too many ".." path elements
-     * are present), return <code>null</code> instead.
-     *
-     * @param path Path to be normalized
-     */
-    protected String normalize(String path) {
-        if (path == null) {
-            return null;
-        }
-
-        // Create a place for the normalized path
-        String normalized = path;
-
-        if (normalized.equals("/.")) {
-            return "/";
-        }
-
-        // Normalize the slashes and add leading slash if necessary
-        if (normalized.indexOf('\\') >= 0) {
-            normalized = normalized.replace('\\', '/');
-        }
-
-        if (!normalized.startsWith("/")) {
-            normalized = "/" + normalized;
-        }
-
-        // Resolve occurrences of "//" in the normalized path
-        while (true) {
-            int index = normalized.indexOf("//");
-            if (index < 0) {
-                break;
-            }
-            normalized = normalized.substring(0, index) +
-                normalized.substring(index + 1);
-        }
-
-        // Resolve occurrences of "/./" in the normalized path
-        while (true) {
-            int index = normalized.indexOf("/./");
-            if (index < 0) {
-                break;
-            }
-            normalized = normalized.substring(0, index) +
-                normalized.substring(index + 2);
-        }
-
-        // Resolve occurrences of "/../" in the normalized path
-        while (true) {
-            int index = normalized.indexOf("/../");
-            if (index < 0) {
-                break;
-            }
-            if (index == 0) {
-                return (null);  // Trying to go outside our context
-            }
-
-            int index2 = normalized.lastIndexOf('/', index - 1);
-            normalized = normalized.substring(0, index2) +
-                normalized.substring(index + 3);
-        }
-
-        // Return the normalized path that we have completed
-        return (normalized);
-    }
-
-
     // -------------------------------------------------------- Private Methods
 
     /**
@@ -1589,7 +1519,7 @@
         }
 
         // Normalise destination path (remove '.' and '..')
-        destinationPath = normalize(destinationPath);
+        destinationPath = RequestUtil.normalize(destinationPath);
 
         String contextPath = req.getContextPath();
         if ((contextPath != null) &&
@@ -2347,7 +2277,8 @@
         if (!toAppend.startsWith("/"))
             toAppend = "/" + toAppend;
 
-        generatedXML.writeText(rewriteUrl(normalize(absoluteUri + toAppend)));
+        generatedXML.writeText(rewriteUrl(RequestUtil.normalize(
+                absoluteUri + toAppend)));
 
         generatedXML.writeElement(null, "href", XMLWriter.CLOSING);
 
Index: container/catalina/src/share/org/apache/catalina/connector/Request.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/connector/Request.java     (wersja 782756)
+++ container/catalina/src/share/org/apache/catalina/connector/Request.java     (wersja 782757)
@@ -1243,10 +1243,9 @@
         int pos = requestPath.lastIndexOf('/');
         String relative = null;
         if (pos >= 0) {
-            relative = RequestUtil.normalize
-                (requestPath.substring(0, pos + 1) + path);
+            relative = requestPath.substring(0, pos + 1) + path;
         } else {
-            relative = RequestUtil.normalize(requestPath + path);
+            relative = requestPath + path;
         }
 
         return (context.getServletContext().getRequestDispatcher(relative));
Index: container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java     (wersja 782756)
+++ container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java     (wersja 782757)
@@ -48,7 +48,7 @@
         if ((result == null) || (result.equals(""))) {
             result = "/";
         }
-        return normalize(result);
+        return RequestUtil.normalize(result);
     }
 
 
@@ -64,15 +64,9 @@
      * 
      * @param path
      *            Path to be normalized
+     * @deprecated
      */
     public static String normalize(String path) {
-        if (path == null) return null;
-        String normalized = path;
-        //Why doesn't RequestUtil do this??
-        // Normalize the slashes and add leading slash if necessary
-        if (normalized.indexOf('\\') >= 0)
-            normalized = normalized.replace('\\', '/');
-        normalized = RequestUtil.normalize(path);
-        return normalized;
+        return RequestUtil.normalize(path);
     }
 }
\ No newline at end of file
Index: container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java        (wersja 782756)
+++ container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java        (wersja 782757)
@@ -32,6 +32,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.apache.catalina.connector.Request;
+import org.apache.catalina.util.RequestUtil;
 import org.apache.coyote.Constants;
 
 /**
@@ -373,7 +374,7 @@
                     + pathWithoutContext);
         }
         String fullPath = prefix + path;
-        String retVal = SSIServletRequestUtil.normalize(fullPath);
+        String retVal = RequestUtil.normalize(fullPath);
         if (retVal == null) {
             throw new IOException("Normalization yielded null on path: "
                     + fullPath);
@@ -406,7 +407,7 @@
             return new ServletContextAndPath(context,
                     getAbsolutePath(virtualPath));
         } else {
-            String normalized = SSIServletRequestUtil.normalize(virtualPath);
+            String normalized = RequestUtil.normalize(virtualPath);
             if (isVirtualWebappRelative) {
                 return new ServletContextAndPath(context, normalized);
             } else {
Index: container/catalina/src/share/org/apache/catalina/util/RequestUtil.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/util/RequestUtil.java      (wersja 782756)
+++ container/catalina/src/share/org/apache/catalina/util/RequestUtil.java      (wersja 782757)
@@ -147,13 +147,29 @@
      * @param path Relative path to be normalized
      */
     public static String normalize(String path) {
+        return normalize(path, true);
+    }
 
+    /**
+     * Normalize a relative URI path that may have relative values ("/./",
+     * "/../", and so on ) it it.  <strong>WARNING</strong> - This method is
+     * useful only for normalizing application-generated paths.  It does not
+     * try to perform security checks for malicious input.
+     *
+     * @param path Relative path to be normalized
+     * @param replaceBackSlash Should '\\' be replaced with '/'
+     */
+    public static String normalize(String path, boolean replaceBackSlash) {
+
         if (path == null)
             return null;
 
         // Create a place for the normalized path
         String normalized = path;
 
+        if (replaceBackSlash && normalized.indexOf('\\') >= 0)
+            normalized = normalized.replace('\\', '/');
+
         if (normalized.equals("/."))
             return "/";