|
 |
04fb17 |
--- conf/web.xml.orig 2016-08-23 14:41:14.488986580 -0400
|
|
|
04fb17 |
+++ conf/web.xml 2016-08-23 14:41:14.497986572 -0400
|
|
|
04fb17 |
@@ -346,6 +346,15 @@
|
|
|
130a60 |
|
|
|
130a60 |
|
|
|
130a60 |
|
|
|
130a60 |
+
|
|
|
130a60 |
+
|
|
|
130a60 |
+
|
|
|
130a60 |
+
|
|
|
130a60 |
+
|
|
|
130a60 |
+
|
|
|
130a60 |
+
|
|
|
130a60 |
+
|
|
|
130a60 |
+
|
|
|
130a60 |
|
|
|
130a60 |
|
|
|
130a60 |
|
|
|
04fb17 |
@@ -369,7 +378,7 @@
|
|
|
130a60 |
<param-name>cgiPathPrefix</param-name>
|
|
|
130a60 |
<param-value>WEB-INF/cgi</param-value>
|
|
|
130a60 |
</init-param>
|
|
|
130a60 |
- <load-on-startup>5</load-on-startup>
|
|
|
130a60 |
+ <load-on-startup>5</load-on-startup>
|
|
|
130a60 |
</servlet>
|
|
|
130a60 |
-->
|
|
|
130a60 |
|
|
|
04fb17 |
--- java/org/apache/catalina/servlets/CGIServlet.java.orig 2016-08-23 14:41:14.489986579 -0400
|
|
|
04fb17 |
+++ java/org/apache/catalina/servlets/CGIServlet.java 2016-08-23 14:42:41.287905267 -0400
|
|
|
130a60 |
@@ -36,6 +36,7 @@
|
|
|
130a60 |
import java.util.Locale;
|
|
|
130a60 |
import java.util.StringTokenizer;
|
|
|
130a60 |
import java.util.Vector;
|
|
|
130a60 |
+import java.util.regex.Pattern;
|
|
|
130a60 |
|
|
|
130a60 |
import javax.servlet.RequestDispatcher;
|
|
|
130a60 |
import javax.servlet.ServletConfig;
|
|
|
04fb17 |
@@ -276,6 +277,16 @@
|
|
|
130a60 |
*/
|
|
|
130a60 |
private long stderrTimeout = 2000;
|
|
|
130a60 |
|
|
|
130a60 |
+ /**
|
|
|
130a60 |
+ * The regular expression used to select HTTP headers to be passed to the
|
|
|
130a60 |
+ * CGI process as environment variables. The name of the environment
|
|
|
130a60 |
+ * variable will be the name of the HTTP header converter to upper case,
|
|
|
130a60 |
+ * prefixed with HTTP_ and with all - characters
|
|
|
130a60 |
+ * converted to _.
|
|
|
130a60 |
+ */
|
|
|
130a60 |
+ private Pattern envHttpHeadersPattern = Pattern.compile(
|
|
|
130a60 |
+ "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
|
|
|
130a60 |
+
|
|
|
130a60 |
/** object used to ensure multiple threads don't try to expand same file */
|
|
|
130a60 |
static Object expandFileLock = new Object();
|
|
|
130a60 |
|
|
|
04fb17 |
@@ -339,6 +350,10 @@
|
|
|
130a60 |
"stderrTimeout"));
|
|
|
130a60 |
}
|
|
|
130a60 |
|
|
|
130a60 |
+ if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
|
|
|
130a60 |
+ envHttpHeadersPattern =
|
|
|
130a60 |
+ Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
|
|
|
130a60 |
+ }
|
|
|
130a60 |
}
|
|
|
130a60 |
|
|
|
130a60 |
|
|
|
04fb17 |
@@ -1106,12 +1121,8 @@
|
|
|
130a60 |
//REMIND: rewrite multiple headers as if received as single
|
|
|
130a60 |
//REMIND: change character set
|
|
|
130a60 |
//REMIND: I forgot what the previous REMIND means
|
|
|
130a60 |
- if ("AUTHORIZATION".equalsIgnoreCase(header) ||
|
|
|
130a60 |
- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
|
|
|
130a60 |
- //NOOP per CGI specification section 11.2
|
|
|
130a60 |
- } else {
|
|
|
130a60 |
- envp.put("HTTP_" + header.replace('-', '_'),
|
|
|
130a60 |
- req.getHeader(header));
|
|
|
130a60 |
+ if (envHttpHeadersPattern.matcher(header).matches()) {
|
|
|
130a60 |
+ envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header));
|
|
|
130a60 |
}
|
|
|
130a60 |
}
|
|
|
130a60 |
|
|
|
04fb17 |
--- webapps/docs/cgi-howto.xml.orig 2016-08-23 14:41:14.490986578 -0400
|
|
|
04fb17 |
+++ webapps/docs/cgi-howto.xml 2016-08-23 14:41:14.494986575 -0400
|
|
|
04fb17 |
@@ -111,6 +111,12 @@
|
|
|
130a60 |
executable-arg-1, executable-arg-2,
|
|
|
130a60 |
and so on - additional arguments for the executable. These precede the
|
|
|
130a60 |
CGI script name. By default there are no additional arguments.
|
|
|
130a60 |
+envHttpHeaders - A regular expression used to select the
|
|
|
130a60 |
+HTTP headers passed to the CGI process as environment variables. Note that
|
|
|
130a60 |
+headers are converted to upper case before matching and that the entire header
|
|
|
130a60 |
+name must match the pattern. Default is
|
|
|
130a60 |
+ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT
|
|
|
130a60 |
+
|
|
|
130a60 |
parameterEncoding - Name of the parameter encoding
|
|
|
130a60 |
to be used with the CGI servlet. Default is
|
|
|
04fb17 |
System.getProperty("file.encoding","UTF-8"). That is the system
|
|
|
04fb17 |
--- webapps/docs/changelog.xml.orig 2016-08-23 14:41:14.491986578 -0400
|
|
|
04fb17 |
+++ webapps/docs/changelog.xml 2016-08-23 14:42:04.119940086 -0400
|
|
|
04fb17 |
@@ -57,6 +57,19 @@
|
|
|
130a60 |
They eventually become mixed with the numbered issues. (I.e., numbered
|
|
|
04fb17 |
issues do not "pop up" wrt. others).
|
|
|
130a60 |
-->
|
|
|
04fb17 |
+<section name="Tomcat 7.0.69-9 (csutherl)">
|
|
|
130a60 |
+ <subsection name="Catalina">
|
|
|
130a60 |
+ <changelog>
|
|
|
130a60 |
+ <add>
|
|
|
130a60 |
+ Add a new initialisation parameter, envHttpHeaders, to
|
|
|
130a60 |
+ the CGI Servlet to mitigate httpoxy
|
|
|
130a60 |
+ (
|
|
|
130a60 |
+ >CVE-2016-5388) by default and to provide a mechanism that can be
|
|
|
130a60 |
+ used to mitigate any future, similar issues. (markt)
|
|
|
130a60 |
+ </add>
|
|
|
130a60 |
+ </changelog>
|
|
|
130a60 |
+ </subsection>
|
|
|
130a60 |
+</section>
|
|
|
04fb17 |
<section name="Tomcat 7.0.69-4 (csutherl)">
|
|
|
04fb17 |
<subsection name="Other">
|
|
|
130a60 |
<changelog>
|