rpm/tomcat
SHA256
1
0
Fork 0
forked from pool/tomcat
Code Pull Requests Activity

Accepting request 1077841 from home:mbussolotto:branches:Java:packages

Browse Source 
- Fixed CVEs:
  * CVE-2022-45143: JsonErrorReportValve: add escape for type, message or description (bsc#1206840)
- Added patches:
  * tomcat-9.0.43-CVE-2022-45143.patch

OBS-URL: https://build.opensuse.org/request/show/1077841
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=256
This commit is contained in:
Michele Bussolotto 2023-04-07 08:08:28 +00:00 committed by Git OBS Bridge
parent 6ef0f7376a
commit 6bc85246b3
3 changed files with 218 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

208
tomcat-9.0.43-CVE-2022-45143.patch Normal file
View File

@ -0,0 +1,208 @@
From b336f4e58893ea35114f1e4a415657f723b1298e Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Wed, 9 Nov 2022 12:39:15 +0000
Subject: [PATCH] Avoid invalid JSON in JSONErrorReportValve output
---
.../catalina/valves/JsonErrorReportValve.java | 7 +-
.../apache/tomcat/util/json/JSONFilter.java | 61 ++++++++++++++
.../tomcat/util/json/TestJSONFilter.java | 82 +++++++++++++++++++
webapps/docs/changelog.xml | 5 ++
4 files changed, 152 insertions(+), 3 deletions(-)
create mode 100644 java/org/apache/tomcat/util/json/JSONFilter.java
create mode 100644 test/org/apache/tomcat/util/json/TestJSONFilter.java
Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/valves/JsonErrorReportValve.java
===================================================================
--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/valves/JsonErrorReportValve.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/valves/JsonErrorReportValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Req
import org.apache.catalina.connector.Response;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.json.JSONFilter;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -82,9 +83,9 @@ public class JsonErrorReportValve extend
}
}
String jsonReport = "{\n" +
- " \"type\": \"" + type + "\",\n" +
- " \"message\": \"" + message + "\"\n" +
- " \"description\": \"" + description + "\"\n" +
+ " \"type\": \"" + JSONFilter.escape(type) + "\",\n" +
+ " \"message\": \"" + JSONFilter.escape(message) + "\",\n" +
+ " \"description\": \"" + JSONFilter.escape(description) + "\"\n" +
"}";
try {
try {
Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/json/JSONFilter.java
===================================================================
--- /dev/null
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/json/JSONFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+/**
+ * Provides escaping of values so they can be included in a JSON document.
+ * Escaping is based on the definition of JSON found in
+ * <a href="https://www.rfc-editor.org/rfc/rfc8259.html">RFC 8259</a>.
+ */
+public class JSONFilter {
+
+ private JSONFilter() {
+ // Utility class. Hide the default constructor.
+ }
+
+ public static String escape(String input) {
+ /*
+ * While any character MAY be escaped, only U+0000 to U+001F (control
+ * characters), U+0022 (quotation mark) and U+005C (reverse solidus)
+ * MUST be escaped.
+ */
+ char[] chars = input.toCharArray();
+ StringBuffer escaped = null;
+ int lastUnescapedStart = 0;
+ for (int i = 0; i < chars.length; i++) {
+ if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) {
+ if (escaped == null) {
+ escaped = new StringBuffer(chars.length + 20);
+ }
+ if (lastUnescapedStart < i) {
+ escaped.append(input.subSequence(lastUnescapedStart, i));
+ }
+ lastUnescapedStart = i + 1;
+ escaped.append("\\u");
+ escaped.append(String.format("%04X", Integer.valueOf(chars[i])));
+ }
+ }
+ if (escaped == null) {
+ return input;
+ } else {
+ if (lastUnescapedStart < chars.length) {
+ escaped.append(input.subSequence(lastUnescapedStart, chars.length));
+ }
+ return escaped.toString();
+ }
+ }
+}
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -133,6 +133,11 @@
<code>RemoteIpFilter</code> determines that this request was submitted
via a secure channel. (lihan)
</fix>
+ <fix>
+ Escape values used to construct output for the
+ <code>JsonErrorReportValve</code> to ensure that it always outputs valid
+ JSON. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
Index: apache-tomcat-9.0.43-src/test/org/apache/tomcat/util/json/TestJSONFilter.java
===================================================================
--- /dev/null
+++ apache-tomcat-9.0.43-src/test/org/apache/tomcat/util/json/TestJSONFilter.java
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+
+
+@RunWith(Parameterized.class)
+public class TestJSONFilter {
+
+ @Parameterized.Parameters(name = "{index}: input[{0}], output[{1}]")
+ public static Collection<Object[]> parameters() {
+ Collection<Object[]> parameterSets = new ArrayList<>();
+
+ // Empty
+ parameterSets.add(new String[] { "", "" });
+
+ // Must escape
+ parameterSets.add(new String[] { "\"", "\\u0022" });
+ parameterSets.add(new String[] { "\\", "\\u005C" });
+ // Sample of controls
+ parameterSets.add(new String[] { "\t", "\\u0009" });
+ parameterSets.add(new String[] { "\n", "\\u000A" });
+ parameterSets.add(new String[] { "\r", "\\u000D" });
+
+ // No escape
+ parameterSets.add(new String[] { "aaa", "aaa" });
+
+ // Start
+ parameterSets.add(new String[] { "\naaa", "\\u000Aaaa" });
+ parameterSets.add(new String[] { "\n\naaa", "\\u000A\\u000Aaaa" });
+
+ // Middle
+ parameterSets.add(new String[] { "aaa\naaa", "aaa\\u000Aaaa" });
+ parameterSets.add(new String[] { "aaa\n\naaa", "aaa\\u000A\\u000Aaaa" });
+
+ // End
+ parameterSets.add(new String[] { "aaa\n", "aaa\\u000A" });
+ parameterSets.add(new String[] { "aaa\n\n", "aaa\\u000A\\u000A" });
+
+ // Start, middle and end
+ parameterSets.add(new String[] { "\naaa\naaa\n", "\\u000Aaaa\\u000Aaaa\\u000A" });
+ parameterSets.add(new String[] { "\n\naaa\n\naaa\n\n", "\\u000A\\u000Aaaa\\u000A\\u000Aaaa\\u000A\\u000A" });
+
+ // Multiple
+ parameterSets.add(new String[] { "\n\n", "\\u000A\\u000A" });
+
+ return parameterSets;
+ }
+
+ @Parameter(0)
+ public String input;
+
+ @Parameter(1)
+ public String output;
+
+ @Test
+ public void testStringEscaping() {
+ Assert.assertEquals(output, JSONFilter.escape(input));;
+ }
+}

8
tomcat.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Fri Apr 7 07:56:31 UTC 2023 - Michele Bussolotto <michele.bussolotto@suse.com>
- Fixed CVEs:
* CVE-2022-45143: JsonErrorReportValve: add escape for type, message or description (bsc#1206840)
- Added patches:
* tomcat-9.0.43-CVE-2022-45143.patch
-------------------------------------------------------------------
Thu Mar 23 08:06:31 UTC 2023 - Michele Bussolotto <michele.bussolotto@suse.com>

2
tomcat.spec
View File

@ -93,6 +93,7 @@ Patch15: tomcat-9.0-fix_catalina.patch
Patch16: tomcat-9.0-logrotate_everything.patch
Patch17: tomcat-9.0.43-CVE-2023-24998.patch
Patch18: tomcat-9.0.43-CVE-2023-28708.patch
Patch19: tomcat-9.0.43-CVE-2022-45143.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
@ -277,6 +278,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
# remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl