import httpcomponents-client-4.5.5-5.module+el8.6.0+13298+7b5243c0
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
9369e04ad5
commit
e9a9c6d99d
|
|
@ -1,14 +1,14 @@
|
|||
From 3514ce0f38dddafd052d76e6a0da9bbb862ff8a4 Mon Sep 17 00:00:00 2001
|
||||
From 46c89afa0fc522c1f6906a72f505ee16f36d2360 Mon Sep 17 00:00:00 2001
|
||||
From: Mikolaj Izdebski <mizdebsk@redhat.com>
|
||||
Date: Tue, 20 Jan 2015 16:04:31 +0100
|
||||
Subject: [PATCH] Use system copy of effective_tld_names.dat
|
||||
Subject: [PATCH 1/2] Use system copy of effective_tld_names.dat
|
||||
|
||||
---
|
||||
.../java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java | 7 +++----
|
||||
.../apache/http/conn/util/PublicSuffixMatcherLoader.java | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/httpclient/src/main/java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java b/httpclient/src/main/java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java
|
||||
index 8783c5b..c858220 100644
|
||||
index 8783c5b96..c858220bf 100644
|
||||
--- a/httpclient/src/main/java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java
|
||||
+++ b/httpclient/src/main/java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java
|
||||
@@ -82,11 +82,10 @@ public final class PublicSuffixMatcherLoader {
|
||||
|
|
@ -27,5 +27,5 @@ index 8783c5b..c858220 100644
|
|||
// Should never happen
|
||||
final Log log = LogFactory.getLog(PublicSuffixMatcherLoader.class);
|
||||
--
|
||||
2.9.3
|
||||
2.31.1
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,126 @@
|
|||
From 11ce5ceabac935674a95da3ee56cd94a70c626a3 Mon Sep 17 00:00:00 2001
|
||||
From: Oleg Kalnichevski <olegk@apache.org>
|
||||
Date: Tue, 29 Sep 2020 09:37:38 +0200
|
||||
Subject: [PATCH 2/2] Incorrect handling of malformed authority component by
|
||||
URIUtils#extractHost
|
||||
|
||||
---
|
||||
.../apache/http/client/utils/URIUtils.java | 69 ++++++++-----------
|
||||
.../http/client/utils/TestURIUtils.java | 6 +-
|
||||
2 files changed, 32 insertions(+), 43 deletions(-)
|
||||
|
||||
diff --git a/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java b/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java
|
||||
index 02f8c1ae9..7cbad777c 100644
|
||||
--- a/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java
|
||||
+++ b/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java
|
||||
@@ -334,56 +334,43 @@ public class URIUtils {
|
||||
if (uri == null) {
|
||||
return null;
|
||||
}
|
||||
- HttpHost target = null;
|
||||
if (uri.isAbsolute()) {
|
||||
- int port = uri.getPort(); // may be overridden later
|
||||
- String host = uri.getHost();
|
||||
- if (host == null) { // normal parse failed; let's do it ourselves
|
||||
+ if (uri.getHost() == null) { // normal parse failed; let's do it ourselves
|
||||
// authority does not seem to care about the valid character-set for host names
|
||||
- host = uri.getAuthority();
|
||||
- if (host != null) {
|
||||
+ if (uri.getAuthority() != null) {
|
||||
+ String content = uri.getAuthority();
|
||||
// Strip off any leading user credentials
|
||||
- final int at = host.indexOf('@');
|
||||
- if (at >= 0) {
|
||||
- if (host.length() > at+1 ) {
|
||||
- host = host.substring(at+1);
|
||||
- } else {
|
||||
- host = null; // @ on its own
|
||||
- }
|
||||
+ int at = content.indexOf('@');
|
||||
+ if (at != -1) {
|
||||
+ content = content.substring(at + 1);
|
||||
}
|
||||
- // Extract the port suffix, if present
|
||||
- if (host != null) {
|
||||
- final int colon = host.indexOf(':');
|
||||
- if (colon >= 0) {
|
||||
- final int pos = colon + 1;
|
||||
- int len = 0;
|
||||
- for (int i = pos; i < host.length(); i++) {
|
||||
- if (Character.isDigit(host.charAt(i))) {
|
||||
- len++;
|
||||
- } else {
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- if (len > 0) {
|
||||
- try {
|
||||
- port = Integer.parseInt(host.substring(pos, pos + len));
|
||||
- } catch (final NumberFormatException ex) {
|
||||
- }
|
||||
- }
|
||||
- host = host.substring(0, colon);
|
||||
+ final String scheme = uri.getScheme();
|
||||
+ final String hostname;
|
||||
+ final int port;
|
||||
+ at = content.indexOf(":");
|
||||
+ if (at != -1) {
|
||||
+ hostname = content.substring(0, at);
|
||||
+ try {
|
||||
+ final String portText = content.substring(at + 1);
|
||||
+ port = !TextUtils.isEmpty(portText) ? Integer.parseInt(portText) : -1;
|
||||
+ } catch (final NumberFormatException ex) {
|
||||
+ return null;
|
||||
}
|
||||
+ } else {
|
||||
+ hostname = content;
|
||||
+ port = -1;
|
||||
+ }
|
||||
+ try {
|
||||
+ return new HttpHost(hostname, port, scheme);
|
||||
+ } catch (final IllegalArgumentException ex) {
|
||||
+ return null;
|
||||
}
|
||||
}
|
||||
- }
|
||||
- final String scheme = uri.getScheme();
|
||||
- if (!TextUtils.isBlank(host)) {
|
||||
- try {
|
||||
- target = new HttpHost(host, port, scheme);
|
||||
- } catch (final IllegalArgumentException ignore) {
|
||||
- }
|
||||
+ } else {
|
||||
+ return new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme());
|
||||
}
|
||||
}
|
||||
- return target;
|
||||
+ return null;
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java b/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java
|
||||
index e33477fce..8da6a26b2 100644
|
||||
--- a/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java
|
||||
+++ b/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java
|
||||
@@ -256,14 +256,16 @@ public class TestURIUtils {
|
||||
|
||||
Assert.assertEquals(new HttpHost("localhost",8080),
|
||||
URIUtils.extractHost(new URI("http://localhost:8080/;sessionid=stuff/abcd")));
|
||||
- Assert.assertEquals(new HttpHost("localhost",8080),
|
||||
+ Assert.assertEquals(null,
|
||||
URIUtils.extractHost(new URI("http://localhost:8080;sessionid=stuff/abcd")));
|
||||
- Assert.assertEquals(new HttpHost("localhost",-1),
|
||||
+ Assert.assertEquals(null,
|
||||
URIUtils.extractHost(new URI("http://localhost:;sessionid=stuff/abcd")));
|
||||
Assert.assertEquals(null,
|
||||
URIUtils.extractHost(new URI("http://:80/robots.txt")));
|
||||
Assert.assertEquals(null,
|
||||
URIUtils.extractHost(new URI("http://some%20domain:80/robots.txt")));
|
||||
+ Assert.assertEquals(null,
|
||||
+ URIUtils.extractHost(new URI("http://blah@goggle.com:80@google.com/")));
|
||||
}
|
||||
|
||||
@Test
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
|
@ -4,12 +4,13 @@
|
|||
Name: httpcomponents-client
|
||||
Summary: HTTP agent implementation based on httpcomponents HttpCore
|
||||
Version: 4.5.5
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: ASL 2.0
|
||||
URL: http://hc.apache.org/
|
||||
Source0: http://www.apache.org/dist/httpcomponents/httpclient/source/%{name}-%{version}-src.tar.gz
|
||||
|
||||
Patch0: 0001-Use-system-copy-of-effective_tld_names.dat.patch
|
||||
Patch1: 0002-Incorrect-handling-of-malformed-authority-component-.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
|
|
@ -58,6 +59,7 @@ Summary: API documentation for %{name}
|
|||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
|
||||
%mvn_package :httpclient-cache cache
|
||||
|
||||
|
|
@ -185,6 +187,10 @@ rm -r httpclient-cache/src/*/java/org/apache/http/impl/client/cache/ehcache
|
|||
%doc LICENSE.txt NOTICE.txt
|
||||
|
||||
%changelog
|
||||
* Sat Sep 25 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 4.5.5-5
|
||||
- Fix incorrect handling of malformed authority component in request URIs
|
||||
- Resolves: CVE-2020-13956
|
||||
|
||||
* Mon Mar 19 2018 Michael Simacek <msimacek@redhat.com> - 4.5.5-4
|
||||
- Fix FTBFS (weak crypto in test data)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue