--- conf/web.xml.orig 2016-08-23 14:41:14.488986580 -0400
+++ conf/web.xml 2016-08-23 14:41:14.497986572 -0400
@@ -346,6 +346,15 @@
+
+
+
+
+
+
+
+
+
@@ -369,7 +378,7 @@
HTTP_
and with all -
characters
+ * converted to _
.
+ */
+ private Pattern envHttpHeadersPattern = Pattern.compile(
+ "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
+
/** object used to ensure multiple threads don't try to expand same file */
static Object expandFileLock = new Object();
@@ -339,6 +350,10 @@
"stderrTimeout"));
}
+ if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
+ envHttpHeadersPattern =
+ Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
+ }
}
@@ -1106,12 +1121,8 @@
//REMIND: rewrite multiple headers as if received as single
//REMIND: change character set
//REMIND: I forgot what the previous REMIND means
- if ("AUTHORIZATION".equalsIgnoreCase(header) ||
- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
- //NOOP per CGI specification section 11.2
- } else {
- envp.put("HTTP_" + header.replace('-', '_'),
- req.getHeader(header));
+ if (envHttpHeadersPattern.matcher(header).matches()) {
+ envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header));
}
}
--- webapps/docs/cgi-howto.xml.orig 2016-08-23 14:41:14.490986578 -0400
+++ webapps/docs/cgi-howto.xml 2016-08-23 14:41:14.494986575 -0400
@@ -111,6 +111,12 @@
ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT
+System.getProperty("file.encoding","UTF-8")
. That is the system
--- webapps/docs/changelog.xml.orig 2016-08-23 14:41:14.491986578 -0400
+++ webapps/docs/changelog.xml 2016-08-23 14:42:04.119940086 -0400
@@ -57,6 +57,19 @@
They eventually become mixed with the numbered issues. (I.e., numbered
issues do not "pop up" wrt. others).
-->
+envHttpHeaders
, to
+ the CGI Servlet to mitigate httpoxy
+ (CVE-2016-5388) by default and to provide a mechanism that can be
+ used to mitigate any future, similar issues. (markt)
+