From afa1721c763c8fc0fb3bd8e34a86ad6ca680d560 Mon Sep 17 00:00:00 2001
From: lawrance <lawrance@FreeBSD.org>
Date: Mon, 11 Sep 2006 12:56:36 +0000
Subject: Patch for a minor cross site scripting vulnerability, and bump
 PORTREVISION.

PR:		ports/96468
Submitted by:	Yann Golanski <yg2@york.ac.uk>
Security:	VuXML: 26a08c77-32da-4dd7-a884-a76fc49aa824
---
 www/jakarta-tomcat5/Makefile                       |  6 +-
 ...atch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824 | 93 ++++++++++++++++++++++
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824

(limited to 'www/jakarta-tomcat5')
diff --git a/www/jakarta-tomcat5/Makefile b/www/jakarta-tomcat5/Makefile
index 383d9e3b6f5b..a42482379007 100644
--- a/www/jakarta-tomcat5/Makefile
+++ b/www/jakarta-tomcat5/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	jakarta-tomcat
 PORTVERSION=	5.0.30
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	www java
 MASTER_SITES=	${MASTER_SITE_APACHE_JAKARTA}
 MASTER_SITE_SUBDIR=	tomcat-5/v${PORTVERSION}/bin
@@ -62,6 +62,10 @@ SUB_LIST=	AJP_1_3_PORT=${AJP_1_3_PORT} \
 		TOMCAT_VERSION=${MAJOR_VER:S/.//} \
 		USER=${TOMCAT_USER}
 
+USE_DOS2UNIX=	webapps/jsp-examples/jsp2/jspx/textRotate.jspx \
+		webapps/jsp-examples/jsp2/el/functions.jsp \
+		webapps/jsp-examples/jsp2/el/implicit-objects.jsp
+
 .include <bsd.port.pre.mk>
 
 pre-patch:
diff --git a/www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824 b/www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824
new file mode 100644
index 000000000000..a4a2f94a1a0a
--- /dev/null
+++ b/www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824
@@ -0,0 +1,93 @@
+--- webapps/jsp-examples/jsp2/jspx/textRotate.jspx.orig	Mon Sep 11 21:55:26 2006
++++ webapps/jsp-examples/jsp2/jspx/textRotate.jspx	Mon Sep 11 21:53:47 2006
+@@ -6,11 +6,12 @@
+ <svg xmlns="http://www.w3.org/2000/svg"
+      width="450" height="500" viewBox="0 0 450 500"
+      xmlns:c="http://java.sun.com/jsp/jstl/core"
++     xmlns:fn="http://java.sun.com/jsp/jstl/functions"
+      xmlns:jsp="http://java.sun.com/JSP/Page">
+   <jsp:directive.page contentType="image/svg+xml" />
+   <title>JSP 2.0 JSPX</title>
+   <!-- select name parameter, or default to JSPX -->
+-  <c:set var="name" value='${empty param["name"] ? "JSPX" : param["name"]}'/>
++  <c:set var="name" value='${empty fn:escapeXml(param["name"]) ? "JSPX" : fn:escapeXml(param["name"])}'/>
+   <g id="testContent">
+     <text class="title" x="50%" y="10%" font-size="15" text-anchor="middle" >
+             JSP 2.0 XML Syntax (.jspx) Demo</text>
+--- webapps/jsp-examples/jsp2/el/functions.jsp.orig	Mon Sep 11 21:55:56 2006
++++ webapps/jsp-examples/jsp2/el/functions.jsp	Mon Sep 11 21:51:56 2006
+@@ -13,6 +13,7 @@
+   See the License for the specific language governing permissions and
+   limitations under the License.
+ -->
++<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+ <%@ taglib prefix="my" uri="http://jakarta.apache.org/tomcat/jsp2-example-taglib"%>
+ 
+ <html>
+@@ -30,7 +31,7 @@
+     <blockquote>
+       <u><b>Change Parameter</b></u>
+       <form action="functions.jsp" method="GET">
+-	  foo = <input type="text" name="foo" value="${param['foo']}">
++	  foo = <input type="text" name="foo" value="${fn:escapeXml(param["foo"])}">
+           <input type="submit">
+       </form>
+       <br>
+@@ -42,19 +43,19 @@
+ 	  </thead>
+ 	  <tr>
+ 	    <td>\${param["foo"]}</td>
+-	    <td>${param["foo"]}&nbsp;</td>
++	    <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${my:reverse(param["foo"])}</td>
+-	    <td>${my:reverse(param["foo"])}&nbsp;</td>
++	    <td>${my:reverse(fn:escapeXml(param["foo"]))}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${my:reverse(my:reverse(param["foo"]))}</td>
+-	    <td>${my:reverse(my:reverse(param["foo"]))}&nbsp;</td>
++	    <td>${my:reverse(my:reverse(fn:escapeXml(param["foo"])))}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${my:countVowels(param["foo"])}</td>
+-	    <td>${my:countVowels(param["foo"])}&nbsp;</td>
++	    <td>${my:countVowels(fn:escapeXml(param["foo"]))}&nbsp;</td>
+ 	  </tr>
+ 	</table>
+       </code>
+--- webapps/jsp-examples/jsp2/el/implicit-objects.jsp.orig	Mon Sep 11 21:55:56 2006
++++ webapps/jsp-examples/jsp2/el/implicit-objects.jsp	Mon Sep 11 21:52:32 2006
+@@ -13,6 +13,8 @@
+   See the License for the specific language governing permissions and
+   limitations under the License.
+ -->
++<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
++
+ <html>
+   <head>
+     <title>JSP 2.0 Expression Language - Implicit Objects</title>
+@@ -49,7 +51,7 @@
+     <blockquote>
+       <u><b>Change Parameter</b></u>
+       <form action="implicit-objects.jsp" method="GET">
+-	  foo = <input type="text" name="foo" value="${param["foo"]}">
++	  foo = <input type="text" name="foo" value="${fn:escapeXml(param["foo"])}">
+           <input type="submit">
+       </form>
+       <br>
+@@ -61,11 +63,11 @@
+ 	  </thead>
+ 	  <tr>
+ 	    <td>\${param.foo}</td>
+-	    <td>${param.foo}&nbsp;</td>
++	    <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${param["foo"]}</td>
+-	    <td>${param["foo"]}&nbsp;</td>
++	    <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${header["host"]}</td>
-- 
cgit 

'active' href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/log/math/entropy/Makefile'>log</a><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/tree/math/entropy/Makefile?id=fa66ba4fa0f751f25171fa00d4efe0da222b7862'>tree</a><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/commit/math/entropy/Makefile?id=fa66ba4fa0f751f25171fa00d4efe0da222b7862'>commit</a><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/diff/math/entropy/Makefile?id=fa66ba4fa0f751f25171fa00d4efe0da222b7862'>diff</a><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/stats/math/entropy/Makefile'>stats</a></td><td class='form'><form class='right' method='get' action='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/log/math/entropy/Makefile'>
<input type='hidden' name='id' value='fa66ba4fa0f751f25171fa00d4efe0da222b7862'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/log/?id=fa66ba4fa0f751f25171fa00d4efe0da222b7862'>root</a>/<a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/log/math?id=fa66ba4fa0f751f25171fa00d4efe0da222b7862'>math</a>/<a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/log/math/entropy?id=fa66ba4fa0f751f25171fa00d4efe0da222b7862'>entropy</a>/<a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/log/math/entropy/Makefile?id=fa66ba4fa0f751f25171fa00d4efe0da222b7862'>Makefile</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th></th><th class='left'>Commit message (<a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/log/math/entropy/Makefile?id=fa66ba4fa0f751f25171fa00d4efe0da222b7862&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th><th class='left'>Age</th><th class='left'>Files</th><th class='left'>Lines</th></tr>
<tr><td class='commitgraph'>* </td><td><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/commit/math/entropy/Makefile?id=884981ec68cdccc03368be15d055407446135f3d'>Use PLIST_FILES (bento-tested, marcus-reviewed).</a></td><td>trevor</td><td><span title='2004-02-06 21:12:53 +0800'>2004-02-06</span></td><td>1</td><td><span class='deletions'>-0</span>/<span class='insertions'>+1</span></td></tr>
<tr><td class='commitgraph'>* </td><td><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/commit/math/entropy/Makefile?id=7ae0fcf937b9e848d8c50856b4d8f5884134b4b1'>Maintainer update of math/entropy to 1.1</a></td><td>seanc</td><td><span title='2003-08-27 11:16:35 +0800'>2003-08-27</span></td><td>1</td><td><span class='deletions'>-1</span>/<span class='insertions'>+1</span></td></tr>
<tr><td class='commitgraph'>* </td><td><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/commit/math/entropy/Makefile?id=69b51a7eaaf4fb61d28b25ff2f8a100a8c3e9882'>De-pkg-comment.</a></td><td>knu</td><td><span title='2003-02-21 20:51:06 +0800'>2003-02-21</span></td><td>1</td><td><span class='deletions'>-0</span>/<span class='insertions'>+1</span></td></tr>
<tr><td class='commitgraph'>* </td><td><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/commit/math/entropy/Makefile?id=55d4379c29e5b51f0feadf1e09cf0026d573d855'>MASTER_SITES changed.</a></td><td>obraun</td><td><span title='2002-08-22 04:59:42 +0800'>2002-08-22</span></td><td>1</td><td><span class='deletions'>-1</span>/<span class='insertions'>+1</span></td></tr>
<tr><td class='commitgraph'>* </td><td><a href='/~lantw44/cgit/cgit.cgi/freebsd-ports-gnome/commit/math/entropy/Makefile?id=0d9d3844c2d3afb18a07d225a5339f91242f5897'>Add entropy 1.0, calculate data entropy to benchmark compression</a></td><td>petef</td><td><span title='2002-08-11 04:44:15 +0800'>2002-08-11</span>
	Commit message (Expand)	Author	Age	Files	Lines
*	Use PLIST_FILES (bento-tested, marcus-reviewed).	trevor	2004-02-06	1	-0/+1
*	Maintainer update of math/entropy to 1.1	seanc	2003-08-27	1	-1/+1
*	De-pkg-comment.	knu	2003-02-21	1	-0/+1
*	MASTER_SITES changed.	obraun	2002-08-22	1	-1/+1
*	Add entropy 1.0, calculate data entropy to benchmark compression	petef	2002-08-11