From 15fcd166ea2c1bb79e8541b8e1a43da9c452ceea Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 11 Mar 2019 11:33:03 +0000
Subject: [PATCH] Escape debug output to aid readability

reason: Escape debug output to aid readability, fix CVE CVE-2019-0221
https://github.com/apache/tomcat/commit/15fcd16

---
 java/org/apache/catalina/ssi/SSIPrintenv.java | 3 +--
 webapps/docs/changelog.xml                    | 3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/ssi/SSIPrintenv.java b/java/org/apache/catalina/ssi/SSIPrintenv.java
index 97470b2..092542f 100644
--- a/java/org/apache/catalina/ssi/SSIPrintenv.java
+++ b/java/org/apache/catalina/ssi/SSIPrintenv.java
@@ -41,8 +41,7 @@ public class SSIPrintenv implements SSICommand {
         } else {
             Collection<String> variableNames = ssiMediator.getVariableNames();
             for (String variableName : variableNames) {
-                String variableValue = ssiMediator
-                        .getVariableValue(variableName);
+                String variableValue = ssiMediator.getVariableValue(variableName, "entity");
                 //This shouldn't happen, since all the variable names must
                 // have values
                 if (variableValue == null) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 697cf07..cbd3961 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -52,6 +52,9 @@
         <code>Expires</code> header as required by HTTP specification
         (RFC 7231, 7234). (kkolinko)
       </fix>
+      <fix>
+        Encode the output of the SSI <code>printenv</code> command. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>
-- 
1.8.3.1