From ead77d044f1246027ae7b6b2980f73aeeeb712a21a2514edb3d7757ca93f2faa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 11:00:29 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main apache-commons-httpclient revision 7d1a442e43871efa726c4b0b3d58bebd --- .gitattributes | 23 ++ apache-commons-httpclient-CVE-2014-3577.patch | 92 +++++ apache-commons-httpclient-CVE-2015-5262.patch | 35 ++ ...e-commons-httpclient-addosgimanifest.patch | 31 ++ ...ommons-httpclient-disablecryptotests.patch | 20 + apache-commons-httpclient-encoding.patch | 34 ++ apache-commons-httpclient.changes | 80 ++++ apache-commons-httpclient.spec | 206 ++++++++++ commons-httpclient-3.1-src.tar.gz | 3 + commons-httpclient-3.1.pom | 254 ++++++++++++ commons-httpclient-CVE-2012-5783-2.patch | 369 ++++++++++++++++++ 11 files changed, 1147 insertions(+) create mode 100644 .gitattributes create mode 100644 apache-commons-httpclient-CVE-2014-3577.patch create mode 100644 apache-commons-httpclient-CVE-2015-5262.patch create mode 100644 apache-commons-httpclient-addosgimanifest.patch create mode 100644 apache-commons-httpclient-disablecryptotests.patch create mode 100644 apache-commons-httpclient-encoding.patch create mode 100644 apache-commons-httpclient.changes create mode 100644 apache-commons-httpclient.spec create mode 100644 commons-httpclient-3.1-src.tar.gz create mode 100644 commons-httpclient-3.1.pom create mode 100644 commons-httpclient-CVE-2012-5783-2.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/apache-commons-httpclient-CVE-2014-3577.patch b/apache-commons-httpclient-CVE-2014-3577.patch new file mode 100644 index 0000000..00811cf --- /dev/null +++ b/apache-commons-httpclient-CVE-2014-3577.patch @@ -0,0 +1,92 @@ +From 1bef0d6f6e8f2f68e996737d7be598613e2060b2 Mon Sep 17 00:00:00 2001 +From: Fabio Valentini +Date: Sat, 18 Jul 2020 19:48:08 +0200 +Subject: [PATCH 4/6] CVE-2014-3577 + +--- + .../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++------- + 1 file changed, 37 insertions(+), 20 deletions(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index fa0acc7..e6ce513 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -44,9 +44,15 @@ import java.util.Iterator; + import java.util.LinkedList; + import java.util.List; + import java.util.Locale; +-import java.util.StringTokenizer; ++import java.util.NoSuchElementException; + import java.util.regex.Pattern; + ++import javax.naming.InvalidNameException; ++import javax.naming.NamingException; ++import javax.naming.directory.Attribute; ++import javax.naming.directory.Attributes; ++import javax.naming.ldap.LdapName; ++import javax.naming.ldap.Rdn; + import javax.net.ssl.SSLException; + import javax.net.ssl.SSLSession; + import javax.net.ssl.SSLSocket; +@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + return dots; + } + +- private static String getCN(X509Certificate cert) { +- // Note: toString() seems to do a better job than getName() +- // +- // For example, getName() gives me this: +- // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d +- // +- // whereas toString() gives me this: +- // EMAILADDRESS=juliusdavies@cucbc.com +- String subjectPrincipal = cert.getSubjectX500Principal().toString(); +- +- return getCN(subjectPrincipal); +- ++ private static String getCN(final X509Certificate cert) { ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ try { ++ return extractCN(subjectPrincipal); ++ } catch (SSLException ex) { ++ return null; ++ } + } +- private static String getCN(String subjectPrincipal) { +- StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); +- while(st.hasMoreTokens()) { +- String tok = st.nextToken().trim(); +- if (tok.length() > 3) { +- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { +- return tok.substring(3); ++ ++ private static String extractCN(final String subjectPrincipal) throws SSLException { ++ if (subjectPrincipal == null) { ++ return null; ++ } ++ try { ++ final LdapName subjectDN = new LdapName(subjectPrincipal); ++ final List rdns = subjectDN.getRdns(); ++ for (int i = rdns.size() - 1; i >= 0; i--) { ++ final Rdn rds = rdns.get(i); ++ final Attributes attributes = rds.toAttributes(); ++ final Attribute cn = attributes.get("cn"); ++ if (cn != null) { ++ try { ++ final Object value = cn.get(); ++ if (value != null) { ++ return value.toString(); ++ } ++ } catch (NoSuchElementException ignore) { ++ } catch (NamingException ignore) { ++ } + } + } ++ } catch (InvalidNameException e) { ++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); + } + return null; + } +-- +2.26.2 + diff --git a/apache-commons-httpclient-CVE-2015-5262.patch b/apache-commons-httpclient-CVE-2015-5262.patch new file mode 100644 index 0000000..56a42e6 --- /dev/null +++ b/apache-commons-httpclient-CVE-2015-5262.patch @@ -0,0 +1,35 @@ +From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001 +From: Fabio Valentini +Date: Sat, 18 Jul 2020 19:48:18 +0200 +Subject: [PATCH 5/6] CVE-2015-5262 + +--- + .../httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index e6ce513..b7550a2 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + } + int timeout = params.getConnectionTimeout(); + if (timeout == 0) { +- Socket sslSocket = createSocket(host, port, localAddress, localPort); ++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket( ++ host, port, localAddress, localPort); ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } else { +@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + sslSocket = ControllerThreadSocketFactory.createSocket( + this, host, port, localAddress, localPort, timeout); + } ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } +-- +2.26.2 + diff --git a/apache-commons-httpclient-addosgimanifest.patch b/apache-commons-httpclient-addosgimanifest.patch new file mode 100644 index 0000000..b2adc73 --- /dev/null +++ b/apache-commons-httpclient-addosgimanifest.patch @@ -0,0 +1,31 @@ +--- MANIFEST.MF 2007-09-06 12:31:02.000000000 -0400 ++++ MANIFEST.MF 2007-09-06 12:30:45.000000000 -0400 +@@ -3,4 +3,27 @@ + Specification-Version: 1.0 + Implementation-Vendor: Apache Software Foundation + Implementation-Version: @version@ +- ++Bundle-ManifestVersion: 2 ++Bundle-Name: %bundleName ++Bundle-SymbolicName: org.apache.commons.httpclient ++Bundle-Version: 3.1.0.v20080605-1935 ++Import-Package: javax.crypto;resolution:=optional, ++ javax.crypto.spec;resolution:=optional, ++ javax.net;resolution:=optional, ++ javax.net.ssl;resolution:=optional, ++ org.apache.commons.codec;version="[1.2.0,2.0.0)", ++ org.apache.commons.codec.binary;version="[1.2.0,2.0.0)", ++ org.apache.commons.codec.net;version="[1.2.0,2.0.0)", ++ org.apache.commons.logging;version="[1.0.4,2.0.0)" ++Export-Package: org.apache.commons.httpclient;version="3.1.0", ++ org.apache.commons.httpclient.auth;version="3.1.0", ++ org.apache.commons.httpclient.cookie;version="3.1.0", ++ org.apache.commons.httpclient.methods;version="3.1.0", ++ org.apache.commons.httpclient.methods.multipart;version="3.1.0", ++ org.apache.commons.httpclient.params;version="3.1.0", ++ org.apache.commons.httpclient.protocol;version="3.1.0", ++ org.apache.commons.httpclient.util;version="3.1.0" ++Bundle-Vendor: %bundleProvider ++Bundle-Localization: plugin ++Bundle-RequiredExecutionEnvironment: CDC-1.0/Foundation-1.0, ++ J2SE-1.2 diff --git a/apache-commons-httpclient-disablecryptotests.patch b/apache-commons-httpclient-disablecryptotests.patch new file mode 100644 index 0000000..75e38e1 --- /dev/null +++ b/apache-commons-httpclient-disablecryptotests.patch @@ -0,0 +1,20 @@ +--- ./src/test/org/apache/commons/httpclient/params/TestParamsAll.java.sav 2006-07-20 18:42:17.000000000 -0400 ++++ ./src/test/org/apache/commons/httpclient/params/TestParamsAll.java 2006-07-20 18:42:26.000000000 -0400 +@@ -43,7 +43,6 @@ + public static Test suite() { + TestSuite suite = new TestSuite(); + suite.addTest(TestHttpParams.suite()); +- suite.addTest(TestSSLTunnelParams.suite()); + return suite; + } + +--- ./src/test/org/apache/commons/httpclient/TestAll.java.sav 2006-07-20 18:42:56.000000000 -0400 ++++ ./src/test/org/apache/commons/httpclient/TestAll.java 2006-07-20 18:43:01.000000000 -0400 +@@ -100,7 +100,6 @@ + // Non compliant behaviour + suite.addTest(TestNoncompliant.suite()); + // Proxy +- suite.addTest(TestProxy.suite()); + suite.addTest(TestProxyWithRedirect.suite()); + return suite; + } diff --git a/apache-commons-httpclient-encoding.patch b/apache-commons-httpclient-encoding.patch new file mode 100644 index 0000000..fed1669 --- /dev/null +++ b/apache-commons-httpclient-encoding.patch @@ -0,0 +1,34 @@ +--- build.xml 2007-08-18 05:02:14.000000000 -0400 ++++ build.xml 2012-01-23 09:52:50.405796336 -0500 +@@ -179,6 +179,7 @@ + description="Compile shareable components"> + +@@ -186,6 +187,7 @@ + + +@@ -197,6 +199,7 @@ + description="Compile unit test cases"> + +@@ -244,6 +244,7 @@ + + + +- Security fix [bsc#945190, CVE-2015-5262] + * http/conn/ssl/SSLConnectionSocketFactory.java ignores the + http.socket.timeout configuration setting during an SSL handshake, + which allows remote attackers to cause a denial of service (HTTPS + call hang) via unspecified vectors. +- Add apache-commons-httpclient-CVE-2015-5262.patch + +------------------------------------------------------------------- +Tue Oct 27 10:38:45 UTC 2020 - Pedro Monreal + +- Security fix [bsc#1178171, CVE-2014-3577] + * org.apache.http.conn.ssl.AbstractVerifier does not properly + verify that the server hostname matches a domain name in the + subject's Common Name (CN) or subjectAltName field of the X.509 + certificate, which allows MITM attackers to spoof SSL servers + via a "CN=" string in a field in the distinguished name (DN) + of a certificate. +- Add apache-commons-httpclient-CVE-2014-3577.patch + +------------------------------------------------------------------- +Mon Apr 1 23:15:55 UTC 2019 - Jan Engelhardt + +- Trim conjecture from description. + +------------------------------------------------------------------- +Mon Jan 21 15:28:32 UTC 2019 - Fridrich Strba + +- Add maven pom file and clean-up the spec file + +------------------------------------------------------------------- +Tue May 15 10:34:34 UTC 2018 - fstrba@suse.com + +- Build with source and target 8 to prepare for a possible removal + of 1.6 compatibility +- Run fdupes on documentation + +------------------------------------------------------------------- +Thu Sep 7 11:49:25 UTC 2017 - fstrba@suse.com + +- Build with java source and target versions 1.6 + * fixes build with jdk9 + +------------------------------------------------------------------- +Tue Jul 8 08:23:35 UTC 2014 - tchvatal@suse.com + +- Redo the bytcode disabling properly. +- Cleanup with spec-cleaner + +------------------------------------------------------------------- +Mon Apr 14 17:24:13 UTC 2014 - darin@darins.net + +- disable bytecode test on SLES + +------------------------------------------------------------------- +Fri Oct 25 08:30:33 UTC 2013 - mvyskocil@suse.com + +- really apply CVE-2012-5783 patch +- build with java 6 and higher + +------------------------------------------------------------------- +Thu Mar 28 10:54:13 UTC 2013 - mvyskocil@suse.com + +- enhance fix of bnc#803332 / CVE-2012-5783 + * add a check for subjectAltNames for instance + +------------------------------------------------------------------- +Thu Feb 14 09:10:48 UTC 2013 - mvyskocil@suse.com + +- fix bnc#803332: no ssl certificate hostname checking (CVE-2012-5783) + * commons-httpclient-CVE-2012-5783.patch +- add jakarta- compat symlinks + +------------------------------------------------------------------- +Sun Feb 3 20:07:59 UTC 2013 - p.drouand@gmail.com + +- Initial release + diff --git a/apache-commons-httpclient.spec b/apache-commons-httpclient.spec new file mode 100644 index 0000000..ae174ff --- /dev/null +++ b/apache-commons-httpclient.spec @@ -0,0 +1,206 @@ +# +# spec file for package apache-commons-httpclient +# +# Copyright (c) 2020 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define short_name commons-httpclient +Name: apache-commons-httpclient +Version: 3.1 +Release: 0 +Summary: Feature rich package for accessing resources via HTTP +License: Apache-2.0 +Group: Development/Libraries/Java +URL: http://hc.apache.org/httpclient-3.x/ +Source0: http://www.apache.org/dist/httpcomponents/commons-httpclient/source/%{short_name}-%{version}-src.tar.gz +Source1: http://repo.maven.apache.org/maven2/%{short_name}/%{short_name}/%{version}/%{short_name}-%{version}.pom +Patch0: %{name}-disablecryptotests.patch +# Add OSGi MANIFEST.MF bits +Patch1: %{name}-addosgimanifest.patch +Patch2: %{name}-encoding.patch +#PATCH-FIX-UPSTREAM: bnc#803332 +#https://issues.apache.org/jira/secure/attachment/12560251/CVE-2012-5783-2.patch +Patch3: %{short_name}-CVE-2012-5783-2.patch +#PATCH-FIX-UPSTREAM bsc#1178171 CVE-2014-3577 MITM security vulnerability +Patch4: apache-commons-httpclient-CVE-2014-3577.patch +#PATCH-FIX-UPSTREAM bsc#945190 CVE-2015-5262 Missing HTTPS connection timeout +Patch5: apache-commons-httpclient-CVE-2015-5262.patch +BuildRequires: ant +BuildRequires: ant-junit +BuildRequires: commons-codec +BuildRequires: commons-logging >= 1.0.3 +BuildRequires: fdupes +BuildRequires: java-devel >= 1.8 +BuildRequires: javapackages-local +BuildRequires: junit +Requires: commons-codec +Requires: commons-logging >= 1.0.3 +Provides: %{short_name} = %{version} +Provides: jakarta-%{short_name} = %{version} +Obsoletes: jakarta-%{short_name} < %{version} +Provides: jakarta-%{short_name}3 = %{version} +Obsoletes: jakarta-%{short_name}3 < %{version} +BuildArch: noarch + +%description +Although the java.net package provides basic functionality for +accessing resources via HTTP, it doesn't provide the full flexibility +or functionality needed by many applications. The Apache Commons +HttpClient component provides a package implementing the client side +of the most recent HTTP standards and recommendations. + +The HttpClient component may be of interest to anyone building +HTTP-aware client applications such as web browsers, web service +clients, or systems that leverage or extend the HTTP protocol for +distributed communication. + +%package javadoc +Summary: Developer documentation for %{name} +Group: Development/Libraries/Java + +%description javadoc +Developer documentation for %{name} in JavaDoc +format. + +%{summary}. + +%package demo +Summary: Demonstration files for %{name} +Group: Development/Libraries/Java +Requires: %{name} = %{version} + +%description demo +Demonstration files for %{name}. NOTE: It is +possible that some demonstration files are specially prepared for SUN +Java runtime environment. If they fail with IBM or BEA Java, the +package itself does not need to be broken. + +%{summary}. + +%package manual +Summary: Manual for %{name} +Group: Development/Libraries/Java + +%description manual +Manual for %{name} + +%{summary}. + +%prep +%setup -q -n %{short_name}-%{version} +mkdir lib # duh +rm -rf docs/apidocs docs/*.patch docs/*.orig docs/*.rej + +%patch0 + +pushd src/conf +sed -i 's/\r//' MANIFEST.MF +%patch1 +popd + +%patch2 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + +# Use javax classes, not com.sun ones +# assume no filename contains spaces +pushd src + for j in $(find . -name "*.java" -exec grep -l 'com\.sun\.net\.ssl' {} \;); do + sed -e 's|com\.sun\.net\.ssl|javax.net.ssl|' $j > tempf + cp tempf $j + done + rm tempf +popd + +sed -i 's/\r//' RELEASE_NOTES.txt +sed -i 's/\r//' README.txt +sed -i 's/\r//' LICENSE.txt + +%build +ant \ + -Dant.build.javac.source=8 -Dant.build.javac.target=8 \ + -Dbuild.sysclasspath=first \ + -Djavadoc.j2sdk.link=%{_javadocdir}/java \ + -Djavadoc.logging.link=%{_javadocdir}/apache-commons-logging \ + -Dtest.failonerror=false \ + -Dlib.dir=%{_javadir} \ + -Djavac.encoding=UTF-8 \ + dist test + +%install +# jars +mkdir -p %{buildroot}%{_javadir} +cp -p dist/%{short_name}.jar \ + %{buildroot}%{_javadir}/%{name}.jar +# compat symlink +pushd %{buildroot}%{_javadir} +ln -s %{name}.jar %{name}3.jar +ln -s %{name}.jar %{short_name}3.jar +ln -s %{name}.jar %{short_name}.jar +ln -s %{name}.jar jakarta-%{short_name}.jar +ln -s %{name}.jar jakarta-%{short_name}3.jar +popd + +# pom +mkdir -p %{buildroot}%{_mavenpomdir} +cp -p %{SOURCE1} %{buildroot}%{_mavenpomdir}/%{name}.pom +%add_maven_depmap %{name}.pom %{name}.jar -a apache:commons-httpclient + +# javadoc +mkdir -p %{buildroot}%{_javadocdir} +mv dist/docs/api %{buildroot}%{_javadocdir}/%{name} +%fdupes -s %{buildroot}%{_javadocdir}/%{name} + +# demo +mkdir -p %{buildroot}%{_datadir}/%{name} +cp -pr src/examples src/contrib %{buildroot}%{_datadir}/%{name} +%fdupes -s %{buildroot}%{_datadir}/%{name} + +# manual and docs +rm -f dist/docs/{BUILDING,TESTING}.txt +ln -s %{_javadocdir}/%{name} dist/docs/apidocs +%fdupes -s dist/docs + +%files +%defattr(0644,root,root,0755) +%license LICENSE.txt +%doc README.txt RELEASE_NOTES.txt +%{_javadir}/%{name}.jar +%{_javadir}/%{name}3.jar +%{_javadir}/%{short_name}3.jar +%{_javadir}/%{short_name}.jar +%{_javadir}/jakarta-%{short_name}3.jar +%{_javadir}/jakarta-%{short_name}.jar +%{_mavenpomdir}/* +%if %{defined _maven_repository} +%{_mavendepmapfragdir}/%{name} +%else +%{_datadir}/maven-metadata/%{name}.xml* +%endif + +%files javadoc +%defattr(0644,root,root,0755) +%doc %{_javadocdir}/%{name} + +%files demo +%defattr(0644,root,root,0755) +%{_datadir}/%{name} + +%files manual +%defattr(0644,root,root,0755) +%doc dist/docs/* + +%changelog diff --git a/commons-httpclient-3.1-src.tar.gz b/commons-httpclient-3.1-src.tar.gz new file mode 100644 index 0000000..ce3caeb --- /dev/null +++ b/commons-httpclient-3.1-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f9a496d3418b0e15894fb351652cd4fa5ca434ebfc3ce3bb8da40defd8b097f2 +size 1882664 diff --git a/commons-httpclient-3.1.pom b/commons-httpclient-3.1.pom new file mode 100644 index 0000000..8cabc03 --- /dev/null +++ b/commons-httpclient-3.1.pom @@ -0,0 +1,254 @@ + + 4.0.0 + commons-httpclient + commons-httpclient + HttpClient + 3.1 + The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily. + http://jakarta.apache.org/httpcomponents/httpclient-3.x/ + + http://issues.apache.org/jira/browse/HTTPCLIENT + + + + + +
httpcomponents-dev@jakarta.apache.org
+ + + + + 2001 + + + HttpComponents Developer List + httpcomponents-dev-subscribe@jakarta.apache.org + httpcomponents-dev-unsubscribe@jakarta.apache.org + http://mail-archives.apache.org/mod_mbox/jakarta-httpcomponents-dev/ + + + HttpClient User List + httpclient-user-subscribe@jakarta.apache.org + httpclient-user-unsubscribe@jakarta.apache.org + http://mail-archives.apache.org/mod_mbox/jakarta-httpclient-user/ + + + + + mbecke + Michael Becke + mbecke -at- apache.org + + + Release Prime + Java Developer + + + + jsdever + Jeff Dever + jsdever -at- apache.org + Independent consultant + + 2.0 Release Prime + Java Developer + + + + dion + dIon Gillard + dion -at- apache.org + Multitask Consulting + + Java Developer + + + + oglueck + Ortwin Glueck + oglueck -at- apache.org + http://www.odi.ch/ + + + Java Developer + + + + jericho + Sung-Gu + jericho -at- apache.org + + + Java Developer + + + + olegk + Oleg Kalnichevski + olegk -at- apache.org + + Java Developer + + + + sullis + Sean C. Sullivan + sullis -at- apache.org + Independent consultant + + Java Developer + + + + adrian + Adrian Sutton + adrian.sutton -at- ephox.com + Intencha + + Java Developer + + + + rwaldhoff + Rodney Waldhoff + rwaldhoff -at- apache + Britannica + + Java Developer + + + + + + Armando Anton + armando.anton -at- newknow.com + + + Sebastian Bazley + sebb -at- apache.org + + + Ola Berg + + + + Sam Berlin + sberlin -at- limepeer.com + + + Mike Bowler + + + + Samit Jain + jain.samit -at- gmail.com + + + Eric Johnson + eric -at- tibco.com + + + Christian Kohlschuetter + ck -at- newsclub.de + + + Ryan Lubke + Ryan.Lubke -at- Sun.COM + + + Sam Maloney + sam.maloney -at- filogix.com + + + Rob Di Marco + rdimarco -at- hmsonline.com + + + Juergen Pill + Juergen.Pill -at- softwareag.com + + + Mohammad Rezaei + mohammad.rezaei -at- gs.com + + + Roland Weber + rolandw -at- apache.org + + + Laura Werner + laura -at- lwerner.org + + + Mikael Wilstrom + mikael.wikstrom -at- it.su.se + + + + + Apache License + http://www.apache.org/licenses/LICENSE-2.0 + + + + scm:svn:http://svn.apache.org/repos/asf/jakarta/httpcomponents/oac.hc3x/trunk + http://svn.apache.org/repos/asf/jakarta/httpcomponents/oac.hc3x/trunk + + + Apache Software Foundation + http://jakarta.apache.org/ + + + src/java + src/test + + + src/resources + + + + + src/test + + **/*.keystore + + + + + + maven-surefire-plugin + + + **/TestAll.java + + + + + + + + junit + junit + 3.8.1 + test + + + commons-logging + commons-logging + 1.0.4 + + + commons-codec + commons-codec + 1.2 + + + + + default + Default Site + scp://people.apache.org//www/jakarta.apache.org/httpcomponents/httpclient-3.x/ + + converted + + \ No newline at end of file diff --git a/commons-httpclient-CVE-2012-5783-2.patch b/commons-httpclient-CVE-2012-5783-2.patch new file mode 100644 index 0000000..07174f0 --- /dev/null +++ b/commons-httpclient-CVE-2012-5783-2.patch @@ -0,0 +1,369 @@ + +--- commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -31,10 +31,25 @@ + package org.apache.commons.httpclient.protocol; + + import java.io.IOException; ++import java.io.InputStream; + import java.net.InetAddress; + import java.net.Socket; + import java.net.UnknownHostException; ++import java.security.cert.Certificate; ++import java.security.cert.CertificateParsingException; ++import java.security.cert.X509Certificate; ++import java.util.Arrays; ++import java.util.Collection; ++import java.util.Iterator; ++import java.util.LinkedList; ++import java.util.List; ++import java.util.Locale; ++import java.util.StringTokenizer; ++import java.util.regex.Pattern; + ++import javax.net.ssl.SSLException; ++import javax.net.ssl.SSLSession; ++import javax.net.ssl.SSLSocket; + import javax.net.ssl.SSLSocketFactory; + + import org.apache.commons.httpclient.ConnectTimeoutException; +@@ -55,6 +70,11 @@ public class SSLProtocolSocketFactory im + */ + private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory(); + ++ // This is a a sorted list, if you insert new elements do it orderdered. ++ private final static String[] BAD_COUNTRY_2LDS = ++ {"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info", ++ "lg", "ne", "net", "or", "org"}; ++ + /** + * Gets an singleton instance of the SSLProtocolSocketFactory. + * @return a SSLProtocolSocketFactory +@@ -79,12 +99,14 @@ public class SSLProtocolSocketFactory im + InetAddress clientHost, + int clientPort) + throws IOException, UnknownHostException { +- return SSLSocketFactory.getDefault().createSocket( ++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket( + host, + port, + clientHost, + clientPort + ); ++ verifyHostName(host, (SSLSocket) sslSocket); ++ return sslSocket; + } + + /** +@@ -124,16 +146,19 @@ public class SSLProtocolSocketFactory im + } + int timeout = params.getConnectionTimeout(); + if (timeout == 0) { +- return createSocket(host, port, localAddress, localPort); ++ Socket sslSocket = createSocket(host, port, localAddress, localPort); ++ verifyHostName(host, (SSLSocket) sslSocket); ++ return sslSocket; + } else { + // To be eventually deprecated when migrated to Java 1.4 or above +- Socket socket = ReflectionSocketFactory.createSocket( ++ Socket sslSocket = ReflectionSocketFactory.createSocket( + "javax.net.ssl.SSLSocketFactory", host, port, localAddress, localPort, timeout); +- if (socket == null) { +- socket = ControllerThreadSocketFactory.createSocket( ++ if (sslSocket == null) { ++ sslSocket = ControllerThreadSocketFactory.createSocket( + this, host, port, localAddress, localPort, timeout); + } +- return socket; ++ verifyHostName(host, (SSLSocket) sslSocket); ++ return sslSocket; + } + } + +@@ -142,10 +167,12 @@ public class SSLProtocolSocketFactory im + */ + public Socket createSocket(String host, int port) + throws IOException, UnknownHostException { +- return SSLSocketFactory.getDefault().createSocket( ++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket( + host, + port + ); ++ verifyHostName(host, (SSLSocket) sslSocket); ++ return sslSocket; + } + + /** +@@ -157,13 +184,271 @@ public class SSLProtocolSocketFactory im + int port, + boolean autoClose) + throws IOException, UnknownHostException { +- return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( ++ Socket sslSocket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( + socket, + host, + port, + autoClose + ); ++ verifyHostName(host, (SSLSocket) sslSocket); ++ return sslSocket; + } ++ ++ ++ ++ ++ /** ++ * Verifies that the given hostname in certicifate is the hostname we are trying to connect to ++ * http://www.cvedetails.com/cve/CVE-2012-5783/ ++ * @param host ++ * @param ssl ++ * @throws IOException ++ */ ++ ++ private static void verifyHostName(String host, SSLSocket ssl) ++ throws IOException { ++ if (host == null) { ++ throw new IllegalArgumentException("host to verify was null"); ++ } ++ ++ SSLSession session = ssl.getSession(); ++ if (session == null) { ++ // In our experience this only happens under IBM 1.4.x when ++ // spurious (unrelated) certificates show up in the server's chain. ++ // Hopefully this will unearth the real problem: ++ InputStream in = ssl.getInputStream(); ++ in.available(); ++ /* ++ If you're looking at the 2 lines of code above because you're ++ running into a problem, you probably have two options: ++ ++ #1. Clean up the certificate chain that your server ++ is presenting (e.g. edit "/etc/apache2/server.crt" or ++ wherever it is your server's certificate chain is ++ defined). ++ ++ OR ++ ++ #2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a ++ non-IBM JVM. ++ */ ++ ++ // If ssl.getInputStream().available() didn't cause an exception, ++ // maybe at least now the session is available? ++ session = ssl.getSession(); ++ if (session == null) { ++ // If it's still null, probably a startHandshake() will ++ // unearth the real problem. ++ ssl.startHandshake(); ++ ++ // Okay, if we still haven't managed to cause an exception, ++ // might as well go for the NPE. Or maybe we're okay now? ++ session = ssl.getSession(); ++ } ++ } ++ ++ Certificate[] certs = session.getPeerCertificates(); ++ verifyHostName(host.trim().toLowerCase(Locale.US), (X509Certificate) certs[0]); ++ } ++ /** ++ * Extract the names from the certificate and tests host matches one of them ++ * @param host ++ * @param cert ++ * @throws SSLException ++ */ ++ ++ private static void verifyHostName(final String host, X509Certificate cert) ++ throws SSLException { ++ // I'm okay with being case-insensitive when comparing the host we used ++ // to establish the socket to the hostname in the certificate. ++ // Don't trim the CN, though. ++ ++ String cn = getCN(cert); ++ String[] subjectAlts = getDNSSubjectAlts(cert); ++ verifyHostName(host, cn.toLowerCase(Locale.US), subjectAlts); ++ ++ } ++ ++ /** ++ * Extract all alternative names from a certificate. ++ * @param cert ++ * @return ++ */ ++ private static String[] getDNSSubjectAlts(X509Certificate cert) { ++ LinkedList subjectAltList = new LinkedList(); ++ Collection c = null; ++ try { ++ c = cert.getSubjectAlternativeNames(); ++ } catch (CertificateParsingException cpe) { ++ // Should probably log.debug() this? ++ cpe.printStackTrace(); ++ } ++ if (c != null) { ++ Iterator it = c.iterator(); ++ while (it.hasNext()) { ++ List list = (List) it.next(); ++ int type = ((Integer) list.get(0)).intValue(); ++ // If type is 2, then we've got a dNSName ++ if (type == 2) { ++ String s = (String) list.get(1); ++ subjectAltList.add(s); ++ } ++ } ++ } ++ if (!subjectAltList.isEmpty()) { ++ String[] subjectAlts = new String[subjectAltList.size()]; ++ subjectAltList.toArray(subjectAlts); ++ return subjectAlts; ++ } else { ++ return new String[0]; ++ } ++ ++ } ++ /** ++ * Verifies ++ * @param host ++ * @param cn ++ * @param subjectAlts ++ * @throws SSLException ++ */ ++ ++ private static void verifyHostName(final String host, String cn, String[] subjectAlts)throws SSLException{ ++ StringBuffer cnTested = new StringBuffer(); ++ ++ for (int i = 0; i < subjectAlts.length; i++){ ++ String name = subjectAlts[i]; ++ if (name != null) { ++ name = name.toLowerCase(); ++ if (verifyHostName(host, name)){ ++ return; ++ } ++ cnTested.append("/").append(name); ++ } ++ } ++ if (cn != null && verifyHostName(host, cn)){ ++ return; ++ } ++ cnTested.append("/").append(cn); ++ throw new SSLException("hostname in certificate didn't match: <" ++ + host + "> != <" + cnTested + ">"); ++ ++ } ++ ++ private static boolean verifyHostName(final String host, final String cn){ ++ if (doWildCard(cn) && !isIPAddress(host)) { ++ return matchesWildCard(cn, host); ++ } ++ return host.equalsIgnoreCase(cn); ++ } ++ private static boolean doWildCard(String cn) { ++ // Contains a wildcard ++ // wildcard in the first block ++ // not an ipaddress (ip addres must explicitily be equal) ++ // not using 2nd level common tld : ex: not for *.co.uk ++ String parts[] = cn.split("\\."); ++ return parts.length >= 3 && ++ parts[0].endsWith("*") && ++ acceptableCountryWildcard(cn) && ++ !isIPAddress(cn); ++ } ++ ++ ++ private static final Pattern IPV4_PATTERN = ++ Pattern.compile("^(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}$"); ++ ++ private static final Pattern IPV6_STD_PATTERN = ++ Pattern.compile("^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$"); ++ ++ private static final Pattern IPV6_HEX_COMPRESSED_PATTERN = ++ Pattern.compile("^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$"); ++ ++ ++ private static boolean isIPAddress(final String hostname) { ++ return hostname != null ++ && ( ++ IPV4_PATTERN.matcher(hostname).matches() ++ || IPV6_STD_PATTERN.matcher(hostname).matches() ++ || IPV6_HEX_COMPRESSED_PATTERN.matcher(hostname).matches() ++ ); ++ ++ } ++ ++ private static boolean acceptableCountryWildcard(final String cn) { ++ // The CN better have at least two dots if it wants wildcard action, ++ // but can't be [*.co.uk] or [*.co.jp] or [*.org.uk], etc... ++ // The [*.co.uk] problem is an interesting one. Should we just ++ // hope that CA's would never foolishly allow such a ++ // certificate to happen? ++ ++ String[] parts = cn.split("\\."); ++ // Only checks for 3 levels, with country code of 2 letters. ++ if (parts.length > 3 || parts[parts.length - 1].length() != 2) { ++ return true; ++ } ++ String countryCode = parts[parts.length - 2]; ++ return Arrays.binarySearch(BAD_COUNTRY_2LDS, countryCode) < 0; ++ } ++ ++ private static boolean matchesWildCard(final String cn, ++ final String hostName) { ++ String parts[] = cn.split("\\."); ++ boolean match = false; ++ String firstpart = parts[0]; ++ if (firstpart.length() > 1) { ++ // server∗ ++ // e.g. server ++ String prefix = firstpart.substring(0, firstpart.length() - 1); ++ // skipwildcard part from cn ++ String suffix = cn.substring(firstpart.length()); ++ // skip wildcard part from host ++ String hostSuffix = hostName.substring(prefix.length()); ++ match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix); ++ } else { ++ match = hostName.endsWith(cn.substring(1)); ++ } ++ if (match) { ++ // I f we're in strict mode , ++ // [ ∗.foo.com] is not allowed to match [a.b.foo.com] ++ match = countDots(hostName) == countDots(cn); ++ } ++ return match; ++ } ++ ++ private static int countDots(final String data) { ++ int dots = 0; ++ for (int i = 0; i < data.length(); i++) { ++ if (data.charAt(i) == '.') { ++ dots += 1; ++ } ++ } ++ return dots; ++ } ++ ++ private static String getCN(X509Certificate cert) { ++ // Note: toString() seems to do a better job than getName() ++ // ++ // For example, getName() gives me this: ++ // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d ++ // ++ // whereas toString() gives me this: ++ // EMAILADDRESS=juliusdavies@cucbc.com ++ String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ ++ return getCN(subjectPrincipal); ++ ++ } ++ private static String getCN(String subjectPrincipal) { ++ StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); ++ while(st.hasMoreTokens()) { ++ String tok = st.nextToken().trim(); ++ if (tok.length() > 3) { ++ if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { ++ return tok.substring(3); ++ } ++ } ++ } ++ return null; ++ } + + /** + * All instances of SSLProtocolSocketFactory are the same.