tomcat/CVE-2024-54677-5.patch

From c2f7ce21c3fb12caefee87c517a8bb4f80700044 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Tue, 3 Dec 2024 17:45:03 +0000
Subject: [PATCH] Limit to 10 attributes. Add option to delete attribute.

Origin: https://github.com/apache/tomcat/commit/c2f7ce21c3fb12caefee87c517a8bb4f80700044
---
 webapps/docs/changelog.xml                    |  5 ++
 .../examples/jsp/security/protected/index.jsp | 49 ++++++++++++++++---
 2 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/webapps/examples/jsp/security/protected/index.jsp b/webapps/examples/jsp/security/protected/index.jsp
index 09c23e721910..987a30fd1878 100644
--- a/webapps/examples/jsp/security/protected/index.jsp
+++ b/webapps/examples/jsp/security/protected/index.jsp
@@ -14,8 +14,10 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 --%>
-<%@ page import="java.util.Enumeration" %>
+<%@ page import="java.net.URLEncoder" %>
+<%@ page import="java.nio.charset.StandardCharsets" %>
 <%@ page import="java.security.Principal" %>
+<%@ page import="java.util.Enumeration" %>
 <%@ page import="org.apache.catalina.TomcatPrincipal" %>
 <%
   if (request.getParameter("logoff") != null) {
@@ -121,31 +123,62 @@ enter it here:
 %>
 <br><br>
 
+<%
+  // Count the existing attributes
+  int sessionAttributeCount = 0;
+  Enumeration<String> names = session.getAttributeNames();
+  while (names.hasMoreElements()) {
+    names.nextElement();
+    sessionAttributeCount++;
+  }
+
+  String dataName = request.getParameter("dataName");
+  String dataValue = request.getParameter("dataValue");
+  if (dataName != null) {
+    if (dataValue == null) {
+      session.removeAttribute(dataName);
+      sessionAttributeCount--;
+    } else if (sessionAttributeCount < 10) {
+      session.setAttribute(dataName, dataValue);
+      sessionAttributeCount++;
+    } else {
+%>
+<p>Session attribute [<%= util.HTMLFilter.filter(dataName) %>] not added as there are already 10 attributes in the
+session. Delete an attribute before adding another.</p>
+<%
+    }
+  }
+
+  if (sessionAttributeCount < 10) {
+%>
 To add some data to the authenticated session, enter it here:
 <form method="GET" action='<%= response.encodeURL("index.jsp") %>'>
 <input type="text" name="dataName">
 <input type="text" name="dataValue">
 <input type="submit" >
 </form>
-<br><br>
-
 <%
-  String dataName = request.getParameter("dataName");
-  if (dataName != null) {
-    session.setAttribute(dataName, request.getParameter("dataValue"));
+  } else {
+%>
+<p>You may not add more than 10 attributes to this session.</p>
+<%
   }
 %>
+<br><br>
+
 <p>The authenticated session contains the following attributes:</p>
 <table>
 <tr><th>Name</th><th>Value</th></tr>
 <%
-  Enumeration<String> names = session.getAttributeNames();
+  names = session.getAttributeNames();
   while (names.hasMoreElements()) {
     String name = names.nextElement();
+    String value = session.getAttribute(name).toString();
 %>
 <tr>
   <td><%= util.HTMLFilter.filter(name) %></td>
-  <td><%= util.HTMLFilter.filter(String.valueOf(session.getAttribute(name))) %></td>
+  <td><%= util.HTMLFilter.filter(value) %></td>
+  <td><a href='<%= response.encodeURL("index.jsp?dataName=" + URLEncoder.encode(name, StandardCharsets.UTF_8)) %>'>delete</a></td>
 </tr>
 <%
   }
Fix CVE-2024-50379 CVE-2024-54677 (cherry picked from commit 37b6fbcf4c334035b8423e43c24b2bea2397c27f) 2024-12-18 10:49:32 +08:00			`From c2f7ce21c3fb12caefee87c517a8bb4f80700044 Mon Sep 17 00:00:00 2001`
			`From: Mark Thomas <markt@apache.org>`
			`Date: Tue, 3 Dec 2024 17:45:03 +0000`
			`Subject: [PATCH] Limit to 10 attributes. Add option to delete attribute.`

			`Origin: https://github.com/apache/tomcat/commit/c2f7ce21c3fb12caefee87c517a8bb4f80700044`
			`---`
			`webapps/docs/changelog.xml \| 5 ++`
			`.../examples/jsp/security/protected/index.jsp \| 49 ++++++++++++++++---`
			`2 files changed, 46 insertions(+), 8 deletions(-)`

			`diff --git a/webapps/examples/jsp/security/protected/index.jsp b/webapps/examples/jsp/security/protected/index.jsp`
			`index 09c23e721910..987a30fd1878 100644`
			`--- a/webapps/examples/jsp/security/protected/index.jsp`
			`+++ b/webapps/examples/jsp/security/protected/index.jsp`
			`@@ -14,8 +14,10 @@`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`--%>`
			`-<%@ page import="java.util.Enumeration" %>`
			`+<%@ page import="java.net.URLEncoder" %>`
			`+<%@ page import="java.nio.charset.StandardCharsets" %>`
			`<%@ page import="java.security.Principal" %>`
			`+<%@ page import="java.util.Enumeration" %>`
			`<%@ page import="org.apache.catalina.TomcatPrincipal" %>`
			`<%`
			`if (request.getParameter("logoff") != null) {`
			`@@ -121,31 +123,62 @@ enter it here:`
			`%>`
			`<br><br>`

			`+<%`
			`+ // Count the existing attributes`
			`+ int sessionAttributeCount = 0;`
			`+ Enumeration<String> names = session.getAttributeNames();`
			`+ while (names.hasMoreElements()) {`
			`+ names.nextElement();`
			`+ sessionAttributeCount++;`
			`+ }`
			`+`
			`+ String dataName = request.getParameter("dataName");`
			`+ String dataValue = request.getParameter("dataValue");`
			`+ if (dataName != null) {`
			`+ if (dataValue == null) {`
			`+ session.removeAttribute(dataName);`
			`+ sessionAttributeCount--;`
			`+ } else if (sessionAttributeCount < 10) {`
			`+ session.setAttribute(dataName, dataValue);`
			`+ sessionAttributeCount++;`
			`+ } else {`
			`+%>`
			`+<p>Session attribute [<%= util.HTMLFilter.filter(dataName) %>] not added as there are already 10 attributes in the`
			`+session. Delete an attribute before adding another.</p>`
			`+<%`
			`+ }`
			`+ }`
			`+`
			`+ if (sessionAttributeCount < 10) {`
			`+%>`
			`To add some data to the authenticated session, enter it here:`
			`<form method="GET" action='<%= response.encodeURL("index.jsp") %>'>`
			`<input type="text" name="dataName">`
			`<input type="text" name="dataValue">`
			`<input type="submit" >`
			`</form>`
			`-<br><br>`
			`-`
			`<%`
			`- String dataName = request.getParameter("dataName");`
			`- if (dataName != null) {`
			`- session.setAttribute(dataName, request.getParameter("dataValue"));`
			`+ } else {`
			`+%>`
			`+<p>You may not add more than 10 attributes to this session.</p>`
			`+<%`
			`}`
			`%>`
			`+<br><br>`
			`+`
			`<p>The authenticated session contains the following attributes:</p>`
			`<table>`
			`<tr><th>Name</th><th>Value</th></tr>`
			`<%`
			`- Enumeration<String> names = session.getAttributeNames();`
			`+ names = session.getAttributeNames();`
			`while (names.hasMoreElements()) {`
			`String name = names.nextElement();`
			`+ String value = session.getAttribute(name).toString();`
			`%>`
			`<tr>`
			`<td><%= util.HTMLFilter.filter(name) %></td>`
			`- <td><%= util.HTMLFilter.filter(String.valueOf(session.getAttribute(name))) %></td>`
			`+ <td><%= util.HTMLFilter.filter(value) %></td>`
			`+ <td><a href='<%= response.encodeURL("index.jsp?dataName=" + URLEncoder.encode(name, StandardCharsets.UTF_8)) %>'>delete</a></td>`
			`</tr>`
			`<%`
			`}`