aboutsummaryrefslogtreecommitdiffstats
path: root/www/jakarta-tomcat5
diff options
context:
space:
mode:
authorlawrance <lawrance@FreeBSD.org>2006-09-11 20:56:36 +0800
committerlawrance <lawrance@FreeBSD.org>2006-09-11 20:56:36 +0800
commitafa1721c763c8fc0fb3bd8e34a86ad6ca680d560 (patch)
tree4d552142b7ab73bbb2c7961a09a8ac32160e169b /www/jakarta-tomcat5
parent44dac78037bf11f4b400b2b6f6f83a7aa9c5ef0f (diff)
downloadfreebsd-ports-gnome-afa1721c763c8fc0fb3bd8e34a86ad6ca680d560.tar.gz
freebsd-ports-gnome-afa1721c763c8fc0fb3bd8e34a86ad6ca680d560.tar.zst
freebsd-ports-gnome-afa1721c763c8fc0fb3bd8e34a86ad6ca680d560.zip
Patch for a minor cross site scripting vulnerability, and bump PORTREVISION.
PR: ports/96468 Submitted by: Yann Golanski <yg2@york.ac.uk> Security: VuXML: 26a08c77-32da-4dd7-a884-a76fc49aa824
Diffstat (limited to 'www/jakarta-tomcat5')
-rw-r--r--www/jakarta-tomcat5/Makefile6
-rw-r--r--www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa82493
2 files changed, 98 insertions, 1 deletions
diff --git a/www/jakarta-tomcat5/Makefile b/www/jakarta-tomcat5/Makefile
index 383d9e3b6f5b..a42482379007 100644
--- a/www/jakarta-tomcat5/Makefile
+++ b/www/jakarta-tomcat5/Makefile
@@ -7,7 +7,7 @@
PORTNAME= jakarta-tomcat
PORTVERSION= 5.0.30
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= www java
MASTER_SITES= ${MASTER_SITE_APACHE_JAKARTA}
MASTER_SITE_SUBDIR= tomcat-5/v${PORTVERSION}/bin
@@ -62,6 +62,10 @@ SUB_LIST= AJP_1_3_PORT=${AJP_1_3_PORT} \
TOMCAT_VERSION=${MAJOR_VER:S/.//} \
USER=${TOMCAT_USER}
+USE_DOS2UNIX= webapps/jsp-examples/jsp2/jspx/textRotate.jspx \
+ webapps/jsp-examples/jsp2/el/functions.jsp \
+ webapps/jsp-examples/jsp2/el/implicit-objects.jsp
+
.include <bsd.port.pre.mk>
pre-patch:
diff --git a/www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824 b/www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824
new file mode 100644
index 000000000000..a4a2f94a1a0a
--- /dev/null
+++ b/www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824
@@ -0,0 +1,93 @@
+--- webapps/jsp-examples/jsp2/jspx/textRotate.jspx.orig Mon Sep 11 21:55:26 2006
++++ webapps/jsp-examples/jsp2/jspx/textRotate.jspx Mon Sep 11 21:53:47 2006
+@@ -6,11 +6,12 @@
+ <svg xmlns="http://www.w3.org/2000/svg"
+ width="450" height="500" viewBox="0 0 450 500"
+ xmlns:c="http://java.sun.com/jsp/jstl/core"
++ xmlns:fn="http://java.sun.com/jsp/jstl/functions"
+ xmlns:jsp="http://java.sun.com/JSP/Page">
+ <jsp:directive.page contentType="image/svg+xml" />
+ <title>JSP 2.0 JSPX</title>
+ <!-- select name parameter, or default to JSPX -->
+- <c:set var="name" value='${empty param["name"] ? "JSPX" : param["name"]}'/>
++ <c:set var="name" value='${empty fn:escapeXml(param["name"]) ? "JSPX" : fn:escapeXml(param["name"])}'/>
+ <g id="testContent">
+ <text class="title" x="50%" y="10%" font-size="15" text-anchor="middle" >
+ JSP 2.0 XML Syntax (.jspx) Demo</text>
+--- webapps/jsp-examples/jsp2/el/functions.jsp.orig Mon Sep 11 21:55:56 2006
++++ webapps/jsp-examples/jsp2/el/functions.jsp Mon Sep 11 21:51:56 2006
+@@ -13,6 +13,7 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
++<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+ <%@ taglib prefix="my" uri="http://jakarta.apache.org/tomcat/jsp2-example-taglib"%>
+
+ <html>
+@@ -30,7 +31,7 @@
+ <blockquote>
+ <u><b>Change Parameter</b></u>
+ <form action="functions.jsp" method="GET">
+- foo = <input type="text" name="foo" value="${param['foo']}">
++ foo = <input type="text" name="foo" value="${fn:escapeXml(param["foo"])}">
+ <input type="submit">
+ </form>
+ <br>
+@@ -42,19 +43,19 @@
+ </thead>
+ <tr>
+ <td>\${param["foo"]}</td>
+- <td>${param["foo"]}&nbsp;</td>
++ <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ </tr>
+ <tr>
+ <td>\${my:reverse(param["foo"])}</td>
+- <td>${my:reverse(param["foo"])}&nbsp;</td>
++ <td>${my:reverse(fn:escapeXml(param["foo"]))}&nbsp;</td>
+ </tr>
+ <tr>
+ <td>\${my:reverse(my:reverse(param["foo"]))}</td>
+- <td>${my:reverse(my:reverse(param["foo"]))}&nbsp;</td>
++ <td>${my:reverse(my:reverse(fn:escapeXml(param["foo"])))}&nbsp;</td>
+ </tr>
+ <tr>
+ <td>\${my:countVowels(param["foo"])}</td>
+- <td>${my:countVowels(param["foo"])}&nbsp;</td>
++ <td>${my:countVowels(fn:escapeXml(param["foo"]))}&nbsp;</td>
+ </tr>
+ </table>
+ </code>
+--- webapps/jsp-examples/jsp2/el/implicit-objects.jsp.orig Mon Sep 11 21:55:56 2006
++++ webapps/jsp-examples/jsp2/el/implicit-objects.jsp Mon Sep 11 21:52:32 2006
+@@ -13,6 +13,8 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
++<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
++
+ <html>
+ <head>
+ <title>JSP 2.0 Expression Language - Implicit Objects</title>
+@@ -49,7 +51,7 @@
+ <blockquote>
+ <u><b>Change Parameter</b></u>
+ <form action="implicit-objects.jsp" method="GET">
+- foo = <input type="text" name="foo" value="${param["foo"]}">
++ foo = <input type="text" name="foo" value="${fn:escapeXml(param["foo"])}">
+ <input type="submit">
+ </form>
+ <br>
+@@ -61,11 +63,11 @@
+ </thead>
+ <tr>
+ <td>\${param.foo}</td>
+- <td>${param.foo}&nbsp;</td>
++ <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ </tr>
+ <tr>
+ <td>\${param["foo"]}</td>
+- <td>${param["foo"]}&nbsp;</td>
++ <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ </tr>
+ <tr>
+ <td>\${header["host"]}</td>