Limits the total length of chunk extensions in chunked HTTP requests.
-+ If the value is -1, no limit will be imposed. If not
-+ specified, the default value of 8192 will be used.
The maximum size of the request and response HTTP header, specified - in bytes. If not specified, this attribute is set to 8192 (8 KB).
diff --git a/SOURCES/tomcat-7.0.42-CVE-2013-4590.patch b/SOURCES/tomcat-7.0.42-CVE-2013-4590.patch deleted file mode 100644 index 2382995..0000000 --- a/SOURCES/tomcat-7.0.42-CVE-2013-4590.patch +++ /dev/null @@ -1,3141 +0,0 @@ ---- java/org/apache/catalina/Context.java.orig 2014-07-21 17:24:05.516400000 -0400 -+++ java/org/apache/catalina/Context.java 2014-07-21 17:46:59.386109000 -0400 -@@ -40,6 +40,7 @@ - import org.apache.catalina.deploy.NamingResources; - import org.apache.catalina.deploy.SecurityConstraint; - import org.apache.catalina.util.CharsetMapper; -+import org.apache.tomcat.InstanceManager; - import org.apache.tomcat.JarScanner; - import org.apache.tomcat.util.http.mapper.Mapper; - -@@ -61,7 +62,7 @@ - *
- *
- * @author Craig R. McClanahan
-- * @version $Id: Context.java 1492415 2013-06-12 20:41:33Z markt $
-+ * @version $Id: Context.java 1552258 2013-12-19 09:25:18Z markt $
- */
-
- public interface Context extends Container {
-@@ -616,70 +617,99 @@
-
-
- /**
-- * Get the server.xml
-+ * This must be kept in sync with org.apache.jasper.Constants
-+ */
-+ public static final String JASPER_XML_VALIDATION_TLD_INIT_PARAM =
-+ "org.apache.jasper.XML_VALIDATE_TLD";
-+
-+
-+ /**
-+ * Name of the ServletContext init-param that determines if the JSP engine
-+ * will block external entities from being used in *.tld, *.jspx, *.tagx and
-+ * tagplugin.xml files.
-+ *
-+ * This must be kept in sync with org.apache.jasper.Constants
-+ */
-+ public static final String JASPER_XML_BLOCK_EXTERNAL_INIT_PARAM =
-+ "org.apache.jasper.XML_BLOCK_EXTERNAL";
- }
---- java/org/apache/catalina/ant/ValidatorTask.java.orig 2014-07-21 17:24:05.537406000 -0400
-+++ java/org/apache/catalina/ant/ValidatorTask.java 2014-07-21 17:46:59.401034000 -0400
-@@ -14,18 +14,16 @@
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
--
--
- package org.apache.catalina.ant;
-
--
- import java.io.BufferedInputStream;
- import java.io.File;
- import java.io.FileInputStream;
- import java.io.InputStream;
-
-+import org.apache.catalina.Globals;
- import org.apache.catalina.startup.Constants;
--import org.apache.catalina.startup.DigesterFactory;
-+import org.apache.tomcat.util.descriptor.DigesterFactory;
- import org.apache.tomcat.util.digester.Digester;
- import org.apache.tools.ant.BuildException;
- import org.xml.sax.InputSource;
-@@ -36,7 +34,7 @@
- * schema validation.
- *
- * @author Remy Maucherat
-- * @version $Id: ValidatorTask.java 1001899 2010-09-27 20:24:18Z markt $
-+ * @version $Id: ValidatorTask.java 1549529 2013-12-09 10:05:56Z markt $
- * @since 5.0
- */
-
-@@ -90,7 +88,10 @@
- Thread.currentThread().setContextClassLoader
- (ValidatorTask.class.getClassLoader());
-
-- Digester digester = DigesterFactory.newDigester(true, true, null);
-+ // Called through trusted manager interface. If running under a
-+ // SecurityManager assume that untrusted applications may be deployed.
-+ Digester digester = DigesterFactory.newDigester(
-+ true, true, null, Globals.IS_SECURITY_ENABLED);
- try {
- file = file.getCanonicalFile();
- InputStream stream =
---- java/org/apache/catalina/core/ApplicationContext.java.orig 2014-07-21 17:24:05.543399000 -0400
-+++ java/org/apache/catalina/core/ApplicationContext.java 2014-07-22 16:07:21.579832000 -0400
-@@ -5,9 +5,9 @@
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
-- *
-+ *
- * http://www.apache.org/licenses/LICENSE-2.0
-- *
-+ *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-@@ -84,7 +84,7 @@
- *
- * @author Craig R. McClanahan
- * @author Remy Maucherat
-- * @version $Id: ApplicationContext.java 1493015 2013-06-14 10:00:57Z markt $
-+ * @version $Id: ApplicationContext.java 1549529 2013-12-09 10:05:56Z markt $
- */
-
- public class ApplicationContext
-@@ -97,7 +97,7 @@
-
- static {
- STRICT_SERVLET_COMPLIANCE = Globals.STRICT_SERVLET_COMPLIANCE;
--
-+
- String requireSlash = System.getProperty(
- "org.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH");
- if (requireSlash == null) {
-@@ -302,7 +302,7 @@
- }
- }
-
--
-+
- /**
- * Return the main path associated with this context.
- */
-@@ -310,7 +310,7 @@
- public String getContextPath() {
- return context.getPath();
- }
--
-+
-
- /**
- * Return the value of the specified initialization parameter, or
-@@ -320,6 +320,20 @@
- */
- @Override
- public String getInitParameter(final String name) {
-+ // Special handling for XML settings as the context setting must
-+ // always override anything that might have been set by an application.
-+ if (Globals.JASPER_XML_VALIDATION_TLD_INIT_PARAM.equals(name) &&
-+ context.getTldValidation()) {
-+ return "true";
-+ }
-+ if (Globals.JASPER_XML_BLOCK_EXTERNAL_INIT_PARAM.equals(name)) {
-+ if (context.getXmlBlockExternal()) {
-+ return "true";
-+ } else if (Globals.IS_SECURITY_ENABLED) {
-+ // System admin has explicitly changed the default
-+ return "false";
-+ }
-+ }
- return parameters.get(name);
- }
-
-@@ -330,7 +344,17 @@
- */
- @Override
- public Enumeration
-+ * This must be kept in sync with org.apache.catalina.Globals
-+ */
-+ public static final String XML_VALIDATION_TLD_INIT_PARAM =
-+ "org.apache.jasper.XML_VALIDATE_TLD";
-+
-+ /**
-+ * Name of the ServletContext init-param that determines if the XML parsers
-+ * will block the resolution of external entities.
-+ *
-+ * This must be kept in sync with org.apache.catalina.Globals
-+ */
-+ public static final String XML_BLOCK_EXTERNAL_INIT_PARAM =
-+ "org.apache.jasper.XML_BLOCK_EXTERNAL";
- }
---- java/org/apache/jasper/JspC.java.orig 2014-07-21 17:24:05.593406000 -0400
-+++ java/org/apache/jasper/JspC.java 2014-07-21 17:46:59.450034000 -0400
-@@ -126,6 +126,8 @@
- protected static final String SWITCH_ENCODING = "-javaEncoding";
- protected static final String SWITCH_SMAP = "-smap";
- protected static final String SWITCH_DUMP_SMAP = "-dumpsmap";
-+ protected static final String SWITCH_VALIDATE_TLD = "-validateTld";
-+ protected static final String SWITCH_BLOCK_EXTERNAL = "-blockExternal";
- protected static final String SHOW_SUCCESS ="-s";
- protected static final String LIST_ERRORS = "-l";
- protected static final int INC_WEBXML = 10;
-@@ -156,6 +158,8 @@
- protected URLClassLoader loader = null;
- protected boolean trimSpaces = false;
- protected boolean genStringAsCharArray = false;
-+ protected boolean validateTld;
-+ protected boolean blockExternal;
- protected boolean xpoweredBy;
- protected boolean mappedFile = false;
- protected boolean poolingEnabled = true;
-@@ -363,6 +367,10 @@
- smapSuppressed = false;
- } else if (tok.equals(SWITCH_DUMP_SMAP)) {
- smapDumped = true;
-+ } else if (tok.equals(SWITCH_VALIDATE_TLD)) {
-+ setValidateTld(true);
-+ } else if (tok.equals(SWITCH_BLOCK_EXTERNAL)) {
-+ setBlockExternal(true);
- } else {
- if (tok.startsWith("-")) {
- throw new JasperException("Unrecognized option: " + tok +
-@@ -842,8 +850,20 @@
- }
- }
-
-- public void setValidateXml( boolean b ) {
-- org.apache.jasper.xmlparser.ParserUtils.validating=b;
-+ public void setValidateTld( boolean b ) {
-+ this.validateTld = b;
-+ }
-+
-+ public boolean isValidateTld() {
-+ return validateTld;
-+ }
-+
-+ public void setBlockExternal( boolean b ) {
-+ this.blockExternal = b;
-+ }
-+
-+ public boolean isBlockExternal() {
-+ return blockExternal;
- }
-
- public void setListErrors( boolean b ) {
-@@ -1257,8 +1277,6 @@
-
- /**
- * Executes the compilation.
-- *
-- * @throws JasperException If an error occurs
- */
- @Override
- public void execute() {
-@@ -1426,6 +1444,13 @@
- } catch (MalformedURLException me) {
- System.out.println("**" + me);
- }
-+ if (isValidateTld()) {
-+ context.setInitParameter(Constants.XML_VALIDATION_TLD_INIT_PARAM, "true");
-+ }
-+ if (isBlockExternal()) {
-+ context.setInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM, "true");
-+ }
-+
- rctxt = new JspRuntimeContext(context, this);
- jspConfig = new JspConfig(context);
- tagPluginManager = new TagPluginManager(context);
---- java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java.orig 2014-07-21 17:24:05.597404000 -0400
-+++ java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java 2014-07-21 17:46:59.457040000 -0400
-@@ -14,7 +14,6 @@
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
--
- package org.apache.jasper.compiler;
-
- import java.io.InputStream;
-@@ -24,11 +23,13 @@
- import java.util.Set;
- import java.util.Vector;
-
-+import javax.servlet.ServletContext;
- import javax.servlet.jsp.tagext.FunctionInfo;
- import javax.servlet.jsp.tagext.TagFileInfo;
- import javax.servlet.jsp.tagext.TagInfo;
- import javax.servlet.jsp.tagext.TagLibraryInfo;
-
-+import org.apache.jasper.Constants;
- import org.apache.jasper.JasperException;
- import org.apache.jasper.JspCompilationContext;
- import org.apache.jasper.util.ExceptionUtils;
-@@ -124,7 +125,21 @@
- pi.addDependant(path, ctxt.getLastModified(path));
- }
-
-- ParserUtils pu = new ParserUtils();
-+ ServletContext servletContext = ctxt.getServletContext();
-+ boolean validate = Boolean.parseBoolean(
-+ servletContext.getInitParameter(
-+ Constants.XML_VALIDATION_TLD_INIT_PARAM));
-+ String blockExternalString =
-+ servletContext.getInitParameter(
-+ Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
-+ boolean blockExternal;
-+ if (blockExternalString == null) {
-+ blockExternal = Constants.IS_SECURITY_ENABLED;
-+ } else {
-+ blockExternal = Boolean.parseBoolean(blockExternalString);
-+ }
-+
-+ ParserUtils pu = new ParserUtils(validate, blockExternal);
- TreeNode tld = pu.parseXMLDocument(uri, in);
-
- if (tld.findAttribute("version") != null) {
---- java/org/apache/jasper/compiler/JspConfig.java.orig 2014-07-21 17:24:05.605401000 -0400
-+++ java/org/apache/jasper/compiler/JspConfig.java 2014-07-21 17:46:59.469055000 -0400
-@@ -22,6 +22,7 @@
-
- import javax.servlet.ServletContext;
-
-+import org.apache.jasper.Constants;
- import org.apache.jasper.JasperException;
- import org.apache.jasper.xmlparser.ParserUtils;
- import org.apache.jasper.xmlparser.TreeNode;
-@@ -77,9 +78,20 @@
- try {
- webXml = new WebXml(ctxt);
-
-+ boolean validate = Boolean.parseBoolean(
-+ ctxt.getInitParameter(Constants.XML_VALIDATION_TLD_INIT_PARAM));
-+ String blockExternalString =
-+ ctxt.getInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
-+ boolean blockExternal;
-+ if (blockExternalString == null) {
-+ blockExternal = Constants.IS_SECURITY_ENABLED;
-+ } else {
-+ blockExternal = Boolean.parseBoolean(blockExternalString);
-+ }
-+
- TreeNode webApp = null;
- if (webXml.getInputSource() != null) {
-- ParserUtils pu = new ParserUtils();
-+ ParserUtils pu = new ParserUtils(validate, blockExternal);
- webApp = pu.parseXMLDocument(webXml.getSystemId(),
- webXml.getInputSource());
- }
---- java/org/apache/jasper/compiler/JspDocumentParser.java.orig 2014-07-21 17:24:05.610399000 -0400
-+++ java/org/apache/jasper/compiler/JspDocumentParser.java 2014-07-21 17:46:59.476041000 -0400
-@@ -5,9 +5,9 @@
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
-- *
-+ *
- * http://www.apache.org/licenses/LICENSE-2.0
-- *
-+ *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-@@ -30,17 +30,20 @@
- import javax.xml.parsers.SAXParser;
- import javax.xml.parsers.SAXParserFactory;
-
-+import org.apache.jasper.Constants;
- import org.apache.jasper.JasperException;
- import org.apache.jasper.JspCompilationContext;
-+import org.apache.tomcat.util.descriptor.DigesterFactory;
-+import org.apache.tomcat.util.descriptor.LocalResolver;
- import org.xml.sax.Attributes;
- import org.xml.sax.InputSource;
- import org.xml.sax.Locator;
- import org.xml.sax.SAXException;
- import org.xml.sax.SAXParseException;
- import org.xml.sax.XMLReader;
--import org.xml.sax.ext.LexicalHandler;
-+import org.xml.sax.ext.DefaultHandler2;
-+import org.xml.sax.ext.EntityResolver2;
- import org.xml.sax.helpers.AttributesImpl;
--import org.xml.sax.helpers.DefaultHandler;
-
- /**
- * Class implementing a parser for a JSP document, that is, a JSP page in XML
-@@ -51,8 +54,8 @@
- */
-
- class JspDocumentParser
-- extends DefaultHandler
-- implements LexicalHandler, TagConstants {
-+ extends DefaultHandler2
-+ implements TagConstants {
-
- private static final String LEXICAL_HANDLER_PROPERTY =
- "http://xml.org/sax/properties/lexical-handler";
-@@ -71,7 +74,7 @@
- * Outermost (in the nesting hierarchy) node whose body is declared to be
- * scriptless. If a node's body is declared to be scriptless, all its
- * nested nodes must be scriptless, too.
-- */
-+ */
- private Node scriptlessBodyNode;
-
- private Locator locator;
-@@ -92,6 +95,7 @@
- private boolean inDTD;
-
- private boolean isValidating;
-+ private final EntityResolver2 entityResolver;
-
- private ErrorDispatcher err;
- private boolean isTagFile;
-@@ -120,6 +124,20 @@
- this.isTagFile = isTagFile;
- this.directivesOnly = directivesOnly;
- this.isTop = true;
-+
-+ String blockExternalString = ctxt.getServletContext().getInitParameter(
-+ Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
-+ boolean blockExternal;
-+ if (blockExternalString == null) {
-+ blockExternal = Constants.IS_SECURITY_ENABLED;
-+ } else {
-+ blockExternal = Boolean.parseBoolean(blockExternalString);
-+ }
-+
-+ this.entityResolver = new LocalResolver(
-+ DigesterFactory.SERVLET_API_PUBLIC_IDS,
-+ DigesterFactory.SERVLET_API_SYSTEM_IDS,
-+ blockExternal);
- }
-
- /*
-@@ -162,6 +180,8 @@
- jspDocParser.isTop = false;
- }
-
-+ jspDocParser.isValidating = false;
-+
- // Parse the input
- SAXParser saxParser = getSAXParser(false, jspDocParser);
- InputStream inStream = null;
-@@ -238,11 +258,34 @@
- }
- }
-
-+
-+ @Override
-+ public InputSource getExternalSubset(String name, String baseURI)
-+ throws SAXException, IOException {
-+ return entityResolver.getExternalSubset(name, baseURI);
-+ }
-+
-+
-+
-+ @Override
-+ public InputSource resolveEntity(String publicId, String systemId)
-+ throws SAXException, IOException {
-+ return entityResolver.resolveEntity(publicId, systemId);
-+ }
-+
-+
-+ @Override
-+ public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId)
-+ throws SAXException, IOException {
-+ return entityResolver.resolveEntity(name, publicId, baseURI, systemId);
-+ }
-+
-+
- /*
- * Receives notification of the start of an element.
- *
- * This method assigns the given tag attributes to one of 3 buckets:
-- *
-+ *
- * - "xmlns" attributes that represent (standard or custom) tag libraries.
- * - "xmlns" attributes that do not represent tag libraries.
- * - all remaining attributes.
-@@ -272,11 +315,8 @@
- return;
- }
-
-- String currentPrefix = getPrefix(current.getQName());
--
- // jsp:text must not have any subelements
-- if (JSP_URI.equals(uri) && TEXT_ACTION.equals(current.getLocalName())
-- && "jsp".equals(currentPrefix)) {
-+ if (current instanceof Node.JspText) {
- throw new SAXParseException(
- Localizer.getMessage("jsp.error.text.has_subelement"),
- locator);
-@@ -288,7 +328,7 @@
- if (attrs != null) {
- /*
- * Notice that due to a bug in the underlying SAX parser, the
-- * attributes must be enumerated in descending order.
-+ * attributes must be enumerated in descending order.
- */
- boolean isTaglib = false;
- for (int i = attrs.getLength() - 1; i >= 0; i--) {
-@@ -437,7 +477,7 @@
- * invoke this method with chunks of it. This is a problem when we try
- * to determine if the text contains only whitespaces, or when we are
- * looking for an EL expression string. Therefore it is necessary to
-- * buffer and concatenate the chunks and process the concatenated text
-+ * buffer and concatenate the chunks and process the concatenated text
- * later (at beginTag and endTag)
- *
- * @param buf The characters
-@@ -670,7 +710,7 @@
- if (!(child instanceof Node.NamedAttribute)) {
- throw new SAXParseException(Localizer.getMessage(
- "jasper.error.emptybodycontent.nonempty",
-- current.qName), locator);
-+ current.qName), locator);
- }
- }
- }
-@@ -785,7 +825,7 @@
- }
-
- /*
-- * Receives notification of the start of a Namespace mapping.
-+ * Receives notification of the start of a Namespace mapping.
- */
- @Override
- public void startPrefixMapping(String prefix, String uri)
-@@ -795,7 +835,7 @@
- if (directivesOnly && !(JSP_URI.equals(uri))) {
- return;
- }
--
-+
- try {
- taglibInfo = getTaglibInfo(prefix, uri);
- } catch (JasperException je) {
-@@ -816,7 +856,7 @@
- }
-
- /*
-- * Receives notification of the end of a Namespace mapping.
-+ * Receives notification of the end of a Namespace mapping.
- */
- @Override
- public void endPrefixMapping(String prefix) throws SAXException {
-@@ -1425,17 +1465,25 @@
- throws Exception {
-
- SAXParserFactory factory = SAXParserFactory.newInstance();
-- factory.setNamespaceAware(true);
-
-+ factory.setNamespaceAware(true);
- // Preserve xmlns attributes
- factory.setFeature(
- "http://xml.org/sax/features/namespace-prefixes",
- true);
-+
- factory.setValidating(validating);
-- //factory.setFeature(
-- // "http://xml.org/sax/features/validation",
-- // validating);
--
-+ if (validating) {
-+ // Enable DTD validation
-+ factory.setFeature(
-+ "http://xml.org/sax/features/validation",
-+ true);
-+ // Enable schema validation
-+ factory.setFeature(
-+ "http://apache.org/xml/features/validation/schema",
-+ true);
-+ }
-+
- // Configure the parser
- SAXParser saxParser = factory.newSAXParser();
- XMLReader xmlReader = saxParser.getXMLReader();
---- java/org/apache/jasper/compiler/TagLibraryInfoImpl.java.orig 2014-07-21 17:24:05.614400000 -0400
-+++ java/org/apache/jasper/compiler/TagLibraryInfoImpl.java 2014-07-21 17:46:59.483050000 -0400
-@@ -31,6 +31,7 @@
- import java.util.Map;
- import java.util.Vector;
-
-+import javax.servlet.ServletContext;
- import javax.servlet.jsp.tagext.FunctionInfo;
- import javax.servlet.jsp.tagext.PageData;
- import javax.servlet.jsp.tagext.TagAttributeInfo;
-@@ -43,6 +44,7 @@
- import javax.servlet.jsp.tagext.ValidationMessage;
- import javax.servlet.jsp.tagext.VariableInfo;
-
-+import org.apache.jasper.Constants;
- import org.apache.jasper.JasperException;
- import org.apache.jasper.JspCompilationContext;
- import org.apache.jasper.util.ExceptionUtils;
-@@ -212,8 +214,20 @@
- Vector Note: Once one web application using
-+ true
-+ *
-+ * @deprecated This option will be removed in 8.0.x.
- */
-- public void setXmlNamespaceAware(boolean xmlNamespaceAware);
-+ @Deprecated
-+ public boolean getTldNamespaceAware();
-+
-+
- /**
-- * Get the server.xml / in the global CATALINA_BASE/conf/context.xml
- file.sessionCookiePath="/" obtains a session, all
-+ subsequent sessions for any other web application in the same host also
-+ configured with sessionCookiePath="/" will always
-+ use the same session ID. This holds even if the session is invalidated
-+ and a new one created. This makes session fixation protection more
-+ difficult and requires custom, Tomcat specific code to change the
-+ session ID shared by the multiple applications.
false.
- If the value of this flag is true, the TLD files
-- XML validation will be namespace-aware. If you turn this flag on,
-- you should probably also turn tldValidation on. If the
-- org.apache.catalina.STRICT_SERVLET_COMPLIANCE
-- system property is set to
-- true, the default value of this attribute will be
-- true, else the default value will be false.
-- Setting this attribute to true will incur a performance
-- penalty.
If the value of this flag is true, the TLD files
- will be XML validated on context startup. If the
-@@ -528,11 +524,26 @@
- Context. If not specified, a standard default value will be used.
If the value of this flag is true, the parsing of
-+ web.xml, web-fragment.xml, *.tld,
-+ *.jspx, *.tagx and tagPlugins.xml
-+ files for this web application will not permit external entities to be
-+ loaded. If a SecurityManager is configured then the default
-+ value of this attribute will be true, else the default
-+ value will be false.
If the value of this flag is true, the validation of
-- XML files will be namespace-aware. If you turn this flag on,
-- you should probably also turn xmlValidation on. If
-- the org.apache.catalina.STRICT_SERVLET_COMPLIANCE
-+
If the value of this flag is true, the parsing of
-+ web.xml and web-fragment.xml files for this
-+ web application will be namespace-aware. Note that *.tld,
-+ *.jspx and *.tagx files are always parsed
-+ using a namespace-aware parser and that the tagPlugins.xml
-+ file (if any) is never parsed using a namespace-aware parser. Note also
-+ that if you turn this flag on, you should probably also turn
-+ xmlValidation on. If the
-+ org.apache.catalina.STRICT_SERVLET_COMPLIANCE
- system property is set to
- true, the default value of this attribute will be
- true, else the default value will be false.
-@@ -541,8 +552,9 @@
-
If the value of this flag is true, the XML files
-- will be validated on context startup. If the
-+
If the value of this flag is true, the parsing of
-+ web.xml and web-fragment.xml files for this
-+ web application will use a validating parser. If the
- org.apache.catalina.STRICT_SERVLET_COMPLIANCE
- system property is set to
- true, the default value of this attribute will be
-@@ -706,7 +718,10 @@
- is likely to result in instability. As such, enabling this should be
- viewed as an option of last resort in a development environment and is
- not recommended in a production environment. If not specified, the
-- default value of false will be used.
false will be used. If this feature is
-+ enabled, web applications may take up to two seconds longer to stop as
-+ executor threads are given up to two seconds to stop gracefully before
-+ Thread.stop() is called on any remaining threads.
- false will be used.
- Set to true if you want a context XML descriptor
-+ embedded inside the application (located at
-+ /META-INF/context.xml) to be copied to the owning
-+ Host's xmlBase when the application
-+ is deployed. On subsequent starts, the copied context XML descriptor
-+ will be used in preference to any context XML descriptor embedded inside
-+ the application even if the descriptor embedded inside the application
-+ is more recent. The flag's value defaults to false. Note if
-+ the deployXML attribute of the owning
-+ Host is false or if the
-+ copyXML attribute of the owning
-+ Host is true, this attribute will
-+ have no effect.
If true, any attempt by an application to modify the
- provided JNDI context with a call to bind(), unbind(),
---- webapps/docs/security-howto.xml.orig 2014-07-21 17:24:05.649404000 -0400
-+++ webapps/docs/security-howto.xml 2014-07-21 17:46:59.538035000 -0400
-@@ -72,10 +72,74 @@
-
Tomcat ships with a number of web applications by default. -- Vulnerabilities have been discovered in these applications in the past. -- Applications that are not required should be removed so the system will not -- be at risk if another vulnerability is discovered.
-+ -+Tomcat ships with a number of web applications that are enabled by -+ default. Vulnerabilities have been discovered in these applications in the -+ past. Applications that are not required should be removed so the system -+ will not be at risk if another vulnerability is discovered.
-+The ROOT web application presents a very low security risk but it does -+ include the version of Tomcat that is being used. The ROOT web application -+ should normally be removed from a publicly accessible Tomcat instance, not -+ for security reasons, but so that a more appropriate default page is shown -+ to users.
-+The documentation web application presents a very low security risk but -+ it does identify the version of Tomcat that is being used. It should -+ normally be removed from a publicly accessible Tomcat instance.
-+The examples web application should always be removed from any security -+ sensitive installation. While the examples web application does not -+ contain any known vulnerabilities, it is known to contain features -+ (particularly the cookie examples that display the contents of all -+ received and allow new cookies to be set) that may be used by an attacker -+ in conjunction with a vulnerability in another application deployed on the -+ Tomcat instance to obtain additional information that would otherwise be -+ unavailable.
-+The Manager application allows the remote deployment of web -+ applications and is frequently targeted by attackers due to the widespread -+ use of weak passwords and publicly accessible Tomcat instances with the -+ Manager application enabled. The Manager application is not accessible by -+ default as no users are configured with the necessary access. If the -+ Manager application is enabled then guidance in the section -+ Securing Management Applications section should be -+ followed.
-+The Host Manager application allows the creation and management of -+ virtual hosts - including the enabling of the Manager application for a -+ virtual host. The Host Manager application is not accessible by default -+ as no users are configured with the necessary access. If the Host Manager -+ application is enabled then guidance in the section Securing -+ Management Applications section should be followed.
-+When deploying a web application that provides management functions for -+ the Tomcat instance, the following guidelines should be followed:
-+/META-INF/context.xml which limits access to
-+ localhost. If remote access is required, limit it to specific IP
-+ addresses using this valve.Enabling the security manager changes the defaults for the following -+ settings:
-+false.true.
-+ In a hosted environment where web applications may not be trusted, set
-- the deployXML attribute to false to ignore any
-- context.xml packaged with the web application that may try to assign
-- increased privileges to the web application.
false to ignore
-+ any context.xml packaged with the web application that may try to assign
-+ increased privileges to the web application. Note that if the security
-+ manager is enabled that the deployXML attribute will
-+ default to false.
-
-
- Digester parser.
-+ * @param xmlValidation turn on/off xml validation
-+ * @param xmlNamespaceAware turn on/off namespace validation
-+ * @param rule an instance of RuleSet used for parsing the xml.
-+ * @param blockExternal turn on/off the blocking of external resources
-+ */
-+ public static Digester newDigester(boolean xmlValidation,
-+ boolean xmlNamespaceAware,
-+ RuleSet rule,
-+ boolean blockExternal) {
-+ Digester digester = new Digester();
-+ digester.setNamespaceAware(xmlNamespaceAware);
-+ digester.setValidating(xmlValidation);
-+ digester.setUseContextClassLoader(true);
-+ EntityResolver2 resolver = new LocalResolver(SERVLET_API_PUBLIC_IDS,
-+ SERVLET_API_SYSTEM_IDS, blockExternal);
-+ digester.setEntityResolver(resolver);
-+ if (rule != null) {
-+ digester.addRuleSet(rule);
-+ }
-+
-+ return digester;
-+ }
-+}
---- java/org/apache/tomcat/util/descriptor/LocalResolver.java.orig 2014-07-21 17:24:05.658412000 -0400
-+++ java/org/apache/tomcat/util/descriptor/LocalResolver.java 2014-07-21 17:46:59.555034000 -0400
-@@ -0,0 +1,146 @@
-+/*
-+ * Licensed to the Apache Software Foundation (ASF) under one or more
-+ * contributor license agreements. See the NOTICE file distributed with
-+ * this work for additional information regarding copyright ownership.
-+ * The ASF licenses this file to You under the Apache License, Version 2.0
-+ * (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+package org.apache.tomcat.util.descriptor;
-+
-+import java.io.FileNotFoundException;
-+import java.io.IOException;
-+import java.net.MalformedURLException;
-+import java.net.URI;
-+import java.net.URISyntaxException;
-+import java.net.URL;
-+import java.util.Map;
-+
-+import org.apache.tomcat.util.res.StringManager;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.SAXException;
-+import org.xml.sax.ext.EntityResolver2;
-+
-+/**
-+ * A resolver for locally cached XML resources.
-+ */
-+public class LocalResolver implements EntityResolver2 {
-+
-+ private static final StringManager sm =
-+ StringManager.getManager(Constants.PACKAGE_NAME);
-+
-+ private final MapServletContextListeners defined in one of the
diff --git a/SOURCES/tomcat-7.0.42-CVE-2014-0075.patch b/SOURCES/tomcat-7.0.42-CVE-2014-0075.patch
deleted file mode 100644
index 0b682d5..0000000
--- a/SOURCES/tomcat-7.0.42-CVE-2014-0075.patch
+++ /dev/null
@@ -1,284 +0,0 @@
---- java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.orig 2014-06-16 18:41:33.642851000 -0400
-+++ java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-06-16 19:36:36.796994000 -0400
-@@ -29,6 +29,7 @@
- import org.apache.tomcat.util.buf.HexUtils;
- import org.apache.tomcat.util.buf.MessageBytes;
- import org.apache.tomcat.util.http.MimeHeaders;
-+import org.apache.tomcat.util.res.StringManager;
-
- /**
- * Chunked input filter. Parses chunked data according to
-@@ -39,6 +40,9 @@
- */
- public class ChunkedInputFilter implements InputFilter {
-
-+ private static final StringManager sm = StringManager.getManager(
-+ ChunkedInputFilter.class.getPackage().getName());
-+
- private static final org.apache.juli.logging.Log log
- = org.apache.juli.logging.LogFactory.getLog(ChunkedInputFilter.class);
-
-@@ -138,6 +142,11 @@
- */
- private long extensionSize;
-
-+ /**
-+ * Flat that indicates an error has occured
-+ */
-+ private boolean error;
-+
- // ----------------------------------------------------------- Constructors
- public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize) {
- this.trailingHeaders.setLimit(maxTrailerSize);
-@@ -161,6 +170,8 @@
- public int doRead(ByteChunk chunk, Request req)
- throws IOException {
-
-+ checkError();
-+
- if (endChunk)
- return -1;
-
-@@ -171,7 +182,8 @@
-
- if (remaining <= 0) {
- if (!parseChunkHeader()) {
-- throw new IOException("Invalid chunk header");
-+ throwIOException(sm.getString(
-+ "chunkedInputFilter.invalidHeader"));
- }
- if (endChunk) {
- parseEndChunk();
-@@ -183,9 +195,9 @@
-
- if (pos >= lastValid) {
- if (readBytes() < 0) {
-- throw new IOException(
-- "Unexpected end of stream whilst reading request body");
-+ throwIOException(sm.getString("chunkedInputFilter.eos"));
- }
-+
- }
-
- if (remaining > (lastValid - pos)) {
-@@ -232,6 +244,8 @@
- public long end()
- throws IOException {
-
-+ checkError();
-+
- // Consume extra bytes : parse the stream until the end chunk is found
- while (doRead(readChunk, null) >= 0) {
- // NOOP: Just consume the input
-@@ -274,6 +288,7 @@
- trailingHeaders.recycle();
- trailingHeaders.setLimit(maxTrailerSize);
- extensionSize = 0;
-+ error = false;
- }
-
-
-@@ -286,6 +301,22 @@
- return ENCODING;
- }
-
-+ private void throwIOException(String msg) throws IOException {
-+ error = true;
-+ throw new IOException(msg);
-+ }
-+
-+ private void throwEOFException(String msg) throws IOException {
-+ error = true;
-+ throw new IOException(msg);
-+ }
-+
-+ private void checkError() throws IOException {
-+ if (error) {
-+ throw new IOException(
-+ sm.getString("chunkedInputFilter.error"));
-+ }
-+ }
-
- // ------------------------------------------------------ Protected Methods
-
-@@ -322,7 +353,7 @@
-
- int result = 0;
- boolean eol = false;
-- boolean readDigit = false;
-+ int readDigit = 0;
- boolean extension = false;
-
- while (!eol) {
-@@ -346,10 +377,9 @@
- } else if (!extension) {
- //don't read data after the trailer
- int charValue = HexUtils.getDec(buf[pos]);
-- if (charValue != -1) {
-- readDigit = true;
-- result *= 16;
-- result += charValue;
-+ if (charValue != -1 && readDigit < 8) {
-+ readDigit++;
-+ result = (result << 4) | charValue;
- } else {
- //we shouldn't allow invalid, non hex characters
- //in the chunked header
-@@ -362,7 +392,8 @@
- // validated. Currently it is simply ignored.
- extensionSize++;
- if (maxExtensionSize > -1 && extensionSize > maxExtensionSize) {
-- throw new IOException("maxExtensionSize exceeded");
-+ throwIOException(sm.getString(
-+ "chunkedInputFilter.maxExtension"));
- }
- }
- // Parsing the CRLF increments pos
-@@ -371,7 +402,7 @@
- }
- }
-
-- if (!readDigit)
-+ if (readDigit == 0 || result < 0)
- return false;
-
- if (result == 0)
-@@ -411,20 +442,27 @@
- while (!eol) {
-
- if (pos >= lastValid) {
-- if (readBytes() <= 0)
-- throw new IOException("Invalid CRLF");
-+ if (readBytes() <= 0) {
-+ throwIOException(sm.getString(
-+ "chunkedInputFilter.invaldCrlfNoData"));
-+ }
- }
-
- if (buf[pos] == Constants.CR) {
-- if (crfound) throw new IOException("Invalid CRLF, two CR characters encountered.");
-+ if (crfound) {
-+ throwIOException(sm.getString(
-+ "chunkedInputFilter.invaldCrlfCRCR"));
-+ }
- crfound = true;
- } else if (buf[pos] == Constants.LF) {
- if (!tolerant && !crfound) {
-- throw new IOException("Invalid CRLF, no CR character encountered.");
-+ throwIOException(sm.getString(
-+ "chunkedInputFilter.invalidCrlfNoCR"));
- }
- eol = true;
- } else {
-- throw new IOException("Invalid CRLF");
-+ throwIOException(
-+ sm.getString("chunkedInputFilter.invalidCrlf"));
- }
-
- pos++;
-@@ -453,8 +491,10 @@
-
- // Read new bytes if needed
- if (pos >= lastValid) {
-- if (readBytes() <0)
-- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request");
-+ if (readBytes() <0) {
-+ throwEOFException(
-+ sm.getString("chunkedInputFilter.eosTrailer"));
-+ }
- }
-
- chr = buf[pos];
-@@ -478,8 +518,10 @@
-
- // Read new bytes if needed
- if (pos >= lastValid) {
-- if (readBytes() <0)
-- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request");
-+ if (readBytes() <0) {
-+ throwEOFException(sm.getString(
-+ "chunkedInputFilter.eosTrailer"));
-+ }
- }
-
- chr = buf[pos];
-@@ -530,7 +572,8 @@
- // limit placed on trailing header size
- int newlimit = trailingHeaders.getLimit() -1;
- if (trailingHeaders.getEnd() > newlimit) {
-- throw new IOException("Exceeded maxTrailerSize");
-+ throw new IOException(
-+ sm.getString("chunkedInputFilter.maxTrailer"));
- }
- trailingHeaders.setLimit(newlimit);
- } else {
-@@ -542,8 +585,11 @@
-
- // Read new bytes if needed
- if (pos >= lastValid) {
-- if (readBytes() <0)
-- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request");
-+ if (readBytes() <0) {
-+ throwEOFException(
-+ sm.getString("chunkedInputFilter.eosTrailer"));
-+ }
-+
- }
-
- chr = buf[pos];
-@@ -567,8 +613,10 @@
-
- // Read new bytes if needed
- if (pos >= lastValid) {
-- if (readBytes() <0)
-- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request");
-+ if (readBytes() <0) {
-+ throwEOFException(sm.getString(
-+ "chunkedInputFilter.eosTrailer"));
-+ }
- }
-
- chr = buf[pos];
---- java/org/apache/coyote/http11/filters/LocalStrings.properties.orig 2014-06-16 18:41:33.647850000 -0400
-+++ java/org/apache/coyote/http11/filters/LocalStrings.properties 2014-06-16 19:22:22.740111000 -0400
-@@ -0,0 +1,25 @@
-+# Licensed to the Apache Software Foundation (ASF) under one or more
-+# contributor license agreements. See the NOTICE file distributed with
-+# this work for additional information regarding copyright ownership.
-+# The ASF licenses this file to You under the Apache License, Version 2.0
-+# (the "License"); you may not use this file except in compliance with
-+# the License. You may obtain a copy of the License at
-+#
-+# http://www.apache.org/licenses/LICENSE-2.0
-+#
-+# Unless required by applicable law or agreed to in writing, software
-+# distributed under the License is distributed on an "AS IS" BASIS,
-+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+# See the License for the specific language governing permissions and
-+# limitations under the License.
-+
-+chunkedInputFilter.error=No data available due to previous error
-+chunkedInputFilter.eos=Unexpected end of stream while reading request body
-+chunkedInputFilter.eosTrailer=Unexpected end of stream while reading trailer headers
-+chunkedInputFilter.invalidCrlf=Invalid end of line sequence (character other than CR or LF found)
-+chunkedInputFilter.invalidCrlfCRCR=Invalid end of line sequence (CRCR)
-+chunkedInputFilter.invalidCrlfNoCR=Invalid end of line sequence (No CR before LF)
-+chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read)
-+chunkedInputFilter.invalidHeader=Invalid chunk header
-+chunkedInputFilter.maxExtension=maxExtensionSize exceeded
-+chunkedInputFilter.maxTrailer=maxTrailerSize exceeded
---- webapps/docs/changelog.xml.orig 2014-06-16 18:41:33.658857000 -0400
-+++ webapps/docs/changelog.xml 2014-06-16 19:37:59.354278000 -0400
-@@ -336,6 +336,12 @@
- The default resource-serving servlet for most web applications, - * used to serve static resources such as HTML pages and images. -@@ -122,6 +130,10 @@ - - private static final long serialVersionUID = 1L; - -+ private static final DocumentBuilderFactory factory; -+ -+ private static final SecureEntityResolver secureEntityResolver = -+ new SecureEntityResolver(); - // ----------------------------------------------------- Instance Variables - - -@@ -227,6 +239,9 @@ - urlEncoder.addSafeCharacter('.'); - urlEncoder.addSafeCharacter('*'); - urlEncoder.addSafeCharacter('/'); -+ factory = DocumentBuilderFactory.newInstance(); -+ factory.setNamespaceAware(true); -+ factory.setValidating(false); - } - - -@@ -1243,13 +1258,11 @@ - protected InputStream render(String contextPath, CacheEntry cacheEntry) - throws IOException, ServletException { - -- InputStream xsltInputStream = -- findXsltInputStream(cacheEntry.context); -- -- if (xsltInputStream==null) { -+ Source xsltSource = findXsltInputStream(cacheEntry.context); -+ if (xsltSource ==null) { - return renderHtml(contextPath, cacheEntry); - } -- return renderXml(contextPath, cacheEntry, xsltInputStream); -+ return renderXml(contextPath, cacheEntry, xsltSource); - - } - -@@ -1262,7 +1275,7 @@ - */ - protected InputStream renderXml(String contextPath, - CacheEntry cacheEntry, -- InputStream xsltInputStream) -+ Source xsltSource) - throws IOException, ServletException { - - StringBuilder sb = new StringBuilder(); -@@ -1356,8 +1369,7 @@ - try { - TransformerFactory tFactory = TransformerFactory.newInstance(); - Source xmlSource = new StreamSource(new StringReader(sb.toString())); -- Source xslSource = new StreamSource(xsltInputStream); -- Transformer transformer = tFactory.newTransformer(xslSource); -+ Transformer transformer = tFactory.newTransformer(xsltSource); - - ByteArrayOutputStream stream = new ByteArrayOutputStream(); - OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8"); -@@ -1578,7 +1590,7 @@ - /** - * Return the xsl template inputstream (if possible) - */ -- protected InputStream findXsltInputStream(DirContext directory) -+ protected Source findXsltInputStream(DirContext directory) - throws IOException { - - if (localXsltFile != null) { -@@ -1586,8 +1598,13 @@ - Object obj = directory.lookup(localXsltFile); - if ((obj != null) && (obj instanceof Resource)) { - InputStream is = ((Resource) obj).streamContent(); -- if (is != null) -- return is; -+ if (is != null) { -+ if (Globals.IS_SECURITY_ENABLED) { -+ return secureXslt(is); -+ } else { -+ return new StreamSource(is); -+ } -+ } - } - } catch (NamingException e) { - if (debug > 10) -@@ -1598,8 +1615,13 @@ - if (contextXsltFile != null) { - InputStream is = - getServletContext().getResourceAsStream(contextXsltFile); -- if (is != null) -- return is; -+ if (is != null) { -+ if (Globals.IS_SECURITY_ENABLED) { -+ return secureXslt(is); -+ } else { -+ return new StreamSource(is); -+ } -+ } - - if (debug > 10) - log("contextXsltFile '" + contextXsltFile + "' not found"); -@@ -1608,25 +1630,111 @@ - /* Open and read in file in one fell swoop to reduce chance - * chance of leaving handle open. - */ -- if (globalXsltFile!=null) { -- FileInputStream fis = null; -+ if (globalXsltFile != null) { -+ File f = validateGlobalXsltFile(); -+ if (f != null ){ -+ FileInputStream fis = null; -+ try { -+ fis = new FileInputStream(f); -+ byte b[] = new byte[(int)f.length()]; /* danger! */ -+ fis.read(b); -+ return new StreamSource(new ByteArrayInputStream(b)); -+ } finally { -+ if (fis != null) { -+ try { -+ fis.close(); -+ } catch(IOException ioe) { -+ // ignore -+ } -+ } -+ } -+ } -+ } - -- try { -- File f = new File(globalXsltFile); -- if (f.exists()){ -- fis =new FileInputStream(f); -- byte b[] = new byte[(int)f.length()]; /* danger! */ -- fis.read(b); -- return new ByteArrayInputStream(b); -- } -- } finally { -- if (fis!=null) -- fis.close(); -+ return null; -+ -+ } -+ -+ private File validateGlobalXsltFile() { -+ -+ File result = null; -+ String base = System.getProperty(Globals.CATALINA_BASE_PROP); -+ -+ if (base != null) { -+ File baseConf = new File(base, "conf"); -+ result = validateGlobalXsltFile(baseConf); -+ } -+ -+ if (result == null) { -+ String home = System.getProperty(Globals.CATALINA_HOME_PROP); -+ if (home != null && !home.equals(base)) { -+ File homeConf = new File(home, "conf"); -+ result = validateGlobalXsltFile(homeConf); - } - } - -- return null; -+ return result; -+ } -+ - -+ private File validateGlobalXsltFile(File base) { -+ File candidate = new File(globalXsltFile); -+ if (!candidate.isAbsolute()) { -+ candidate = new File(base, globalXsltFile); -+ } -+ -+ if (!candidate.isFile()) { -+ return null; -+ } -+ -+ // First check that the resulting path is under the provided base -+ try { -+ if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) { -+ return null; -+ } -+ } catch (IOException ioe) { -+ return null; -+ } -+ -+ // Next check that an .xsl or .xslt file has been specified -+ String nameLower = candidate.getName().toLowerCase(Locale.ENGLISH); -+ if (!nameLower.endsWith(".xslt") && !nameLower.endsWith(".xsl")) { -+ return null; -+ } -+ -+ return candidate; -+ } -+ -+ private Source secureXslt(InputStream is) { -+ // Need to filter out any external entities -+ Source result = null; -+ try { -+ DocumentBuilder builder = factory.newDocumentBuilder(); -+ builder.setEntityResolver(secureEntityResolver); -+ Document document = builder.parse(is); -+ result = new DOMSource(document); -+ } catch (ParserConfigurationException e) { -+ if (debug > 0) { -+ log(e.getMessage(), e); -+ } -+ } catch (SAXException e) { -+ if (debug > 0) { -+ log(e.getMessage(), e); -+ } -+ } catch (IOException e) { -+ if (debug > 0) { -+ log(e.getMessage(), e); -+ } -+ } finally { -+ if (is != null) { -+ try { -+ is.close(); -+ } catch (IOException e) { -+ // Ignore -+ } -+ } -+ } -+ return result; - } - - -@@ -2150,4 +2258,34 @@ - return (start >= 0) && (end >= 0) && (start <= end) && (length > 0); - } - } -+ -+ /** -+ * This is secure in the sense that any attempt to use an external entity -+ * will trigger an exception. -+ */ -+ private static class SecureEntityResolver implements EntityResolver2 { -+ -+ @Override -+ public InputSource resolveEntity(String publicId, String systemId) -+ throws SAXException, IOException { -+ throw new SAXException(sm.getString("defaultServlet.blockExternalEntity", -+ publicId, systemId)); -+ } -+ -+ @Override -+ public InputSource getExternalSubset(String name, String baseURI) -+ throws SAXException, IOException { -+ throw new SAXException(sm.getString("defaultServlet.blockExternalSubset", -+ name, baseURI)); -+ } -+ -+ @Override -+ public InputSource resolveEntity(String name, String publicId, -+ String baseURI, String systemId) throws SAXException, -+ IOException { -+ throw new SAXException(sm.getString("defaultServlet.blockExternalEntity2", -+ name, publicId, baseURI, systemId)); -+ } -+ } - } -+ ---- java/org/apache/catalina/servlets/LocalStrings.properties.orig 2014-06-16 14:44:40.830411000 -0400 -+++ java/org/apache/catalina/servlets/LocalStrings.properties 2014-06-16 16:15:08.577726000 -0400 -@@ -13,6 +13,10 @@ - # See the License for the specific language governing permissions and - # limitations under the License. - -+ -+defaultServlet.blockExternalEntity=Blocked access to external entity with publicId [{0}] and systemId [{0}] -+defaultServlet.blockExternalEntity2=Blocked access to external entity with name [{0}], publicId [{1}], baseURI [{2}] and systemId [{3}] -+defaultServlet.blockExternalSubset=Blocked access to external subset with name [{0}] and baseURI [{1}] - defaultServlet.missingResource=The requested resource ({0}) is not available - defaultservlet.directorylistingfor=Directory Listing for: - defaultservlet.upto=Up to: ---- webapps/docs/default-servlet.xml.orig 2014-06-16 14:44:40.836413000 -0400 -+++ webapps/docs/default-servlet.xml 2014-06-16 16:17:41.419241000 -0400 -@@ -110,22 +110,24 @@ -
contextXsltFile. This should be a context
-- relative path (e.g.: /path/to/context.xslt). This
-- overrides globalXsltFile. If this value is present but a
-- file does not exist, then globalXsltFile will be used. If
- globalXsltFile does not exist, then the default
-+ configuring contextXsltFile. This must be a context
-+ relative path (e.g.: /path/to/context.xslt) to a file with
-+ a .xsl or .xslt extension. This overrides
-+ globalXsltFile. If this value is present but a file does
-+ not exist, then globalXsltFile will be used. If
- directory listing will be shown.
- localXsltFile. This should be a relative
-- file name in the directory where the listing will take place.
-- This overrides globalXsltFile and
-- contextXsltFile. If this value is present but a file
-- does not exist, then contextXsltFile will be used. If
-+ configuring localXsltFile. This must be a file in the
-+ directory where the listing will take place to with a
-+ .xsl or .xslt extension. This overrides
-+ globalXsltFile and contextXsltFile. If this
-+ value is present but a file does not exist, then
-+ contextXsltFile will be used. If
- contextXsltFile does not exist, then
- globalXsltFile will be used. If
- globalXsltFile does not exist, then the default
diff --git a/SOURCES/tomcat-7.0.42-CVE-2014-0099.patch b/SOURCES/tomcat-7.0.42-CVE-2014-0099.patch
deleted file mode 100644
index ac72ae3..0000000
--- a/SOURCES/tomcat-7.0.42-CVE-2014-0099.patch
+++ /dev/null
@@ -1,49 +0,0 @@
---- java/org/apache/tomcat/util/buf/Ascii.java.orig 2014-06-16 13:31:00.031497000 -0400
-+++ java/org/apache/tomcat/util/buf/Ascii.java 2014-06-16 13:40:15.667390000 -0400
-@@ -40,6 +40,7 @@
- private static final boolean[] isWhite = new boolean[256];
- private static final boolean[] isDigit = new boolean[256];
-
-+ private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10;
- /*
- * Initialize character translation and type tables.
- */
-@@ -206,20 +207,16 @@
- }
-
- long n = c - '0';
-- long m;
-
- while (--len > 0) {
-- if (!isDigit(c = b[off++])) {
-+ if (isDigit(c = b[off++]) &&
-+ (n < OVERFLOW_LIMIT ||
-+ ( n == OVERFLOW_LIMIT && (c - '0') < 8))) {
-+ n = n * 10 + c - '0';
-+ } else {
- throw new NumberFormatException();
- }
-- m = n * 10 + c - '0';
-
-- if (m < n) {
-- // Overflow
-- throw new NumberFormatException();
-- } else {
-- n = m;
-- }
- }
-
- return n;
---- webapps/docs/changelog.xml.orig 2014-06-16 13:31:00.067494000 -0400
-+++ webapps/docs/changelog.xml 2014-06-16 13:42:21.284821000 -0400
-@@ -59,6 +59,10 @@
- The default resource-serving servlet for most web applications, - * used to serve static resources such as HTML pages and images. -@@ -122,9 +124,7 @@ - *
- * @author Craig R. McClanahan - * @author Remy Maucherat -- * @version $Id: DefaultServlet.java 1301255 2012-03-15 22:47:40Z markt $ - */ -- - public class DefaultServlet - extends HttpServlet { - -@@ -132,10 +132,10 @@ - - private static final DocumentBuilderFactory factory; - -- private static final SecureEntityResolver secureEntityResolver = -- new SecureEntityResolver(); -- // ----------------------------------------------------- Instance Variables -+ private static final SecureEntityResolver secureEntityResolver; -+ - -+ // ----------------------------------------------------- Instance Variables - - /** - * The debugging detail level for this servlet. -@@ -225,6 +225,11 @@ - */ - protected static final ArrayList