Patch for a minor cross site scripting vulnerability, and bump PORTREVISION.

PR: ports/96468 Submitted by: Yann Golanski <yg2@york.ac.uk> Security: VuXML: 26a08c77-32da-4dd7-a884-a76fc49aa824
svn path=/head/; revision=172777
2024-10-20 20:09:11 +00:00 · 2006-09-11 12:56:36 +00:00 · 2006-09-11 12:56:36 +00:00 · 954d13aa39 · 2021-03-31 03:12:20 +00:00
commit 954d13aa39
parent 4308b0a901
2 changed files with 98 additions and 1 deletions
--- a/www/jakarta-tomcat5/Makefile
+++ b/www/jakarta-tomcat5/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	jakarta-tomcat
 PORTVERSION=	5.0.30
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	www java
 MASTER_SITES=	${MASTER_SITE_APACHE_JAKARTA}
 MASTER_SITE_SUBDIR=	tomcat-5/v${PORTVERSION}/bin
@ -62,6 +62,10 @@ SUB_LIST=	AJP_1_3_PORT=${AJP_1_3_PORT} \
 		TOMCAT_VERSION=${MAJOR_VER:S/.//} \
 		USER=${TOMCAT_USER}

+USE_DOS2UNIX=	webapps/jsp-examples/jsp2/jspx/textRotate.jspx \
+		webapps/jsp-examples/jsp2/el/functions.jsp \
+		webapps/jsp-examples/jsp2/el/implicit-objects.jsp
+
 .include <bsd.port.pre.mk>

 pre-patch:
--- a/www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824
+++ b/www/jakarta-tomcat5/files/patch-vuxml-26a08c77-32da-4dd7-a884-a76fc49aa824
@ -0,0 +1,93 @@
+--- webapps/jsp-examples/jsp2/jspx/textRotate.jspx.orig	Mon Sep 11 21:55:26 2006
+++ webapps/jsp-examples/jsp2/jspx/textRotate.jspx	Mon Sep 11 21:53:47 2006
+@@ -6,11 +6,12 @@
+ <svg xmlns="http://www.w3.org/2000/svg"
+      width="450" height="500" viewBox="0 0 450 500"
+      xmlns:c="http://java.sun.com/jsp/jstl/core"
+     xmlns:fn="http://java.sun.com/jsp/jstl/functions"
+      xmlns:jsp="http://java.sun.com/JSP/Page">
+   <jsp:directive.page contentType="image/svg+xml" />
+   <title>JSP 2.0 JSPX</title>
+   <!-- select name parameter, or default to JSPX -->
+-  <c:set var="name" value='${empty param["name"] ? "JSPX" : param["name"]}'/>
+  <c:set var="name" value='${empty fn:escapeXml(param["name"]) ? "JSPX" : fn:escapeXml(param["name"])}'/>
+   <g id="testContent">
+     <text class="title" x="50%" y="10%" font-size="15" text-anchor="middle" >
+             JSP 2.0 XML Syntax (.jspx) Demo</text>
+--- webapps/jsp-examples/jsp2/el/functions.jsp.orig	Mon Sep 11 21:55:56 2006
+++ webapps/jsp-examples/jsp2/el/functions.jsp	Mon Sep 11 21:51:56 2006
+@@ -13,6 +13,7 @@
+   See the License for the specific language governing permissions and
+   limitations under the License.
+ -->
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+ <%@ taglib prefix="my" uri="http://jakarta.apache.org/tomcat/jsp2-example-taglib"%>
+ 
+ <html>
+@@ -30,7 +31,7 @@
+     <blockquote>
+       <u><b>Change Parameter</b></u>
+       <form action="functions.jsp" method="GET">
+-	  foo = <input type="text" name="foo" value="${param['foo']}">
+	  foo = <input type="text" name="foo" value="${fn:escapeXml(param["foo"])}">
+           <input type="submit">
+       </form>
+       <br>
+@@ -42,19 +43,19 @@
+ 	  </thead>
+ 	  <tr>
+ 	    <td>\${param["foo"]}</td>
+-	    <td>${param["foo"]}&nbsp;</td>
+	    <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${my:reverse(param["foo"])}</td>
+-	    <td>${my:reverse(param["foo"])}&nbsp;</td>
+	    <td>${my:reverse(fn:escapeXml(param["foo"]))}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${my:reverse(my:reverse(param["foo"]))}</td>
+-	    <td>${my:reverse(my:reverse(param["foo"]))}&nbsp;</td>
+	    <td>${my:reverse(my:reverse(fn:escapeXml(param["foo"])))}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${my:countVowels(param["foo"])}</td>
+-	    <td>${my:countVowels(param["foo"])}&nbsp;</td>
+	    <td>${my:countVowels(fn:escapeXml(param["foo"]))}&nbsp;</td>
+ 	  </tr>
+ 	</table>
+       </code>
+--- webapps/jsp-examples/jsp2/el/implicit-objects.jsp.orig	Mon Sep 11 21:55:56 2006
+++ webapps/jsp-examples/jsp2/el/implicit-objects.jsp	Mon Sep 11 21:52:32 2006
+@@ -13,6 +13,8 @@
+   See the License for the specific language governing permissions and
+   limitations under the License.
+ -->
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+
+ <html>
+   <head>
+     <title>JSP 2.0 Expression Language - Implicit Objects</title>
+@@ -49,7 +51,7 @@
+     <blockquote>
+       <u><b>Change Parameter</b></u>
+       <form action="implicit-objects.jsp" method="GET">
+-	  foo = <input type="text" name="foo" value="${param["foo"]}">
+	  foo = <input type="text" name="foo" value="${fn:escapeXml(param["foo"])}">
+           <input type="submit">
+       </form>
+       <br>
+@@ -61,11 +63,11 @@
+ 	  </thead>
+ 	  <tr>
+ 	    <td>\${param.foo}</td>
+-	    <td>${param.foo}&nbsp;</td>
+	    <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${param["foo"]}</td>
+-	    <td>${param["foo"]}&nbsp;</td>
+	    <td>${fn:escapeXml(param["foo"])}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${header["host"]}</td>