tomcat/CVE-2019-0221.patch

From 15fcd166ea2c1bb79e8541b8e1a43da9c452ceea Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 11 Mar 2019 11:33:03 +0000
Subject: [PATCH] Escape debug output to aid readability

reason: Escape debug output to aid readability, fix CVE CVE-2019-0221
https://github.com/apache/tomcat/commit/15fcd16

---
 java/org/apache/catalina/ssi/SSIPrintenv.java | 3 +--
 webapps/docs/changelog.xml                    | 3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/ssi/SSIPrintenv.java b/java/org/apache/catalina/ssi/SSIPrintenv.java
index 97470b2..092542f 100644
--- a/java/org/apache/catalina/ssi/SSIPrintenv.java
+++ b/java/org/apache/catalina/ssi/SSIPrintenv.java
@@ -41,8 +41,7 @@ public class SSIPrintenv implements SSICommand {
         } else {
             Collection<String> variableNames = ssiMediator.getVariableNames();
             for (String variableName : variableNames) {
-                String variableValue = ssiMediator
-                        .getVariableValue(variableName);
+                String variableValue = ssiMediator.getVariableValue(variableName, "entity");
                 //This shouldn't happen, since all the variable names must
                 // have values
                 if (variableValue == null) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 697cf07..cbd3961 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -52,6 +52,9 @@
         <code>Expires</code> header as required by HTTP specification
         (RFC 7231, 7234). (kkolinko)
       </fix>
+      <fix>
+        Encode the output of the SSI <code>printenv</code> command. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>
-- 
1.8.3.1
package init 2020-02-28 20:54:21 -05:00			`From 15fcd166ea2c1bb79e8541b8e1a43da9c452ceea Mon Sep 17 00:00:00 2001`
			`From: Mark Thomas <markt@apache.org>`
			`Date: Mon, 11 Mar 2019 11:33:03 +0000`
			`Subject: [PATCH] Escape debug output to aid readability`

			`reason: Escape debug output to aid readability, fix CVE CVE-2019-0221`
			`https://github.com/apache/tomcat/commit/15fcd16`

			`---`
			`java/org/apache/catalina/ssi/SSIPrintenv.java \| 3 +--`
			`webapps/docs/changelog.xml \| 3 +++`
			`2 files changed, 4 insertions(+), 2 deletions(-)`

			`diff --git a/java/org/apache/catalina/ssi/SSIPrintenv.java b/java/org/apache/catalina/ssi/SSIPrintenv.java`
			`index 97470b2..092542f 100644`
			`--- a/java/org/apache/catalina/ssi/SSIPrintenv.java`
			`+++ b/java/org/apache/catalina/ssi/SSIPrintenv.java`
			`@@ -41,8 +41,7 @@ public class SSIPrintenv implements SSICommand {`
			`} else {`
			`Collection<String> variableNames = ssiMediator.getVariableNames();`
			`for (String variableName : variableNames) {`
			`- String variableValue = ssiMediator`
			`- .getVariableValue(variableName);`
			`+ String variableValue = ssiMediator.getVariableValue(variableName, "entity");`
			`//This shouldn't happen, since all the variable names must`
			`// have values`
			`if (variableValue == null) {`
			`diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml`
			`index 697cf07..cbd3961 100644`
			`--- a/webapps/docs/changelog.xml`
			`+++ b/webapps/docs/changelog.xml`
			`@@ -52,6 +52,9 @@`
			`<code>Expires</code> header as required by HTTP specification`
			`(RFC 7231, 7234). (kkolinko)`
			`</fix>`
			`+ <fix>`
			`+ Encode the output of the SSI <code>printenv</code> command. (markt)`
			`+ </fix>`
			`</changelog>`
			`</subsection>`
			`</section>`
			`--`
			`1.8.3.1`