debian/0000775000000000000000000000000013361404126007170 5ustar debian/tomcat6.install0000664000000000000000000000056512300245614012140 0ustar conf/catalina.properties /etc/tomcat6/ debian/logging.properties /etc/tomcat6/ conf/*.xml /etc/tomcat6/ debian/policy/*.policy /etc/tomcat6/policy.d/ debian/default_root /usr/share/tomcat6-root/ debian/defaults.template /usr/share/tomcat6/ debian/defaults.md5sum /usr/share/tomcat6/ debian/logrotate.template /usr/share/tomcat6/ debian/logrotate.md5sum /usr/share/tomcat6/ debian/orig-tar.sh0000775000000000000000000000066012300245614011252 0ustar #!/bin/sh -e VERSION=$2 TAR=../tomcat6_$VERSION.orig.tar.xz DIR=tomcat6-$VERSION TAG=$(echo TOMCAT_$VERSION | sed -e 's/\./_/g') svn export http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/$TAG $DIR tar -c -J -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR rm -rf $DIR ../$TAG # move to directory 'tarballs' if [ -r .svn/deb-layout ]; then . .svn/deb-layout mv $TAR $origDir echo "moved $TAR to $origDir" fi debian/tomcat6-instance-create.10000664000000000000000000000225612300245614013674 0ustar .TH "TOMCAT6-INSTANCE-CREATE" "8" "Feb 2010" "" "" .SH "NAME" tomcat6\-instance\-create \- creates a Tomcat6 instance .SH "SYNOPSIS" .B tomcat6\-instance\-create [\fIOPTIONS\fR] \fIDIRECTORYNAME\fR .SH "DESCRIPTION" The .B tomcat6\-instance\-create script creates a directory with all required Tomcat6 CATALINA_BASE elements so that a separate Tomcat 6 instance with its own configuration, libraries or web applications can be run by a user. bin/startup.sh and bin/shutdown.sh scripts are also generated to allow the instance to be started and stopped. .TP .B DIRECTORYNAME The name of the directory where the instance will be created. It should not exist and will be created automatically. .SH "OPTIONS" .TP .B \-p HTTPPORT The TCP port to use for the default HTTP connector in the instance. The default port is 8080. .TP .B \-c CONTROLPORT The TCP port to use for Tomcat shutdown control port. The default port is 8005. .TP .B \-w MAGICWORD The magic word that sent to the control port will trigger the shutdown of the Tomcat instance. The default word is SHUTDOWN. .SH "AUTHOR" This man page was written by Thierry Carrez and is copyright (C) 2008 Canonical Ltd. debian/tomcat6-examples.install0000664000000000000000000000025712300245614013752 0ustar debian/context/examples.xml /etc/tomcat6/Catalina/localhost/ output/build/webapps/examples /usr/share/tomcat6-examples/ debian/policy/examples/*.policy /etc/tomcat6/policy.d/ debian/libservlet2.5-java-doc.install0000664000000000000000000000005612300245614014640 0ustar output/api /usr/share/doc/libservlet2.5-java/ debian/default_root/0000775000000000000000000000000012300245614011654 5ustar debian/default_root/index.html0000664000000000000000000000353712300245614013661 0ustar Apache Tomcat

It works !

If you're seeing this page via a web browser, it means you've setup Tomcat successfully. Congratulations!

This is the default Tomcat home page. It can be found on the local filesystem at: /var/lib/tomcat6/webapps/ROOT/index.html

Tomcat6 veterans might be pleased to learn that this system instance of Tomcat is installed with CATALINA_HOME in /usr/share/tomcat6 and CATALINA_BASE in /var/lib/tomcat6, following the rules from /usr/share/doc/tomcat6-common/RUNNING.txt.gz.

You might consider installing the following packages, if you haven't already done so:

tomcat6-docs: This package installs a web application that allows to browse the Tomcat 6 documentation locally. Once installed, you can access it by clicking here.

tomcat6-examples: This package installs a web application that allows to access the Tomcat 6 Servlet and JSP examples. Once installed, you can access it by clicking here.

tomcat6-admin: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the manager webapp and the host-manager webapp.

NOTE: For security reasons, using the manager webapp is restricted to users with role "manager". The host-manager webapp is restricted to users with role "admin". Users are defined in /etc/tomcat6/tomcat-users.xml.

debian/default_root/META-INF/0000775000000000000000000000000012300245614013014 5ustar debian/default_root/META-INF/context.xml0000664000000000000000000000006312300245614015221 0ustar debian/logrotate.template0000664000000000000000000000016612300245614012725 0ustar /var/log/tomcat6/catalina.out { copytruncate weekly rotate 52 compress missingok create 640 tomcat6 adm } debian/tomcat6.postinst0000664000000000000000000000564212300245614012356 0ustar #!/bin/sh set -e . /usr/share/debconf/confmodule TEMPLATE="/usr/share/tomcat6/defaults.template" CONFFILE="/etc/default/tomcat6" LR_TEMPLATE="/usr/share/tomcat6/logrotate.template" LR_CONFFILE="/etc/logrotate.d/tomcat6" JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC" case "$1" in configure) # Generate $CONFFILE from debconf seetings and $TEMPLATE db_version 2.0 db_get tomcat6/username && TOMCAT6_USER="$RET" || TOMCAT6_USER="tomcat6" db_get tomcat6/groupname && TOMCAT6_GROUP="$RET" || TOMCAT6_GROUP="tomcat6" db_get tomcat6/javaopts && JAVA_OPTS="$RET" || JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC" tmpfile=`mktemp /tmp/tomcat6.XXXXXXXXXX` chmod 644 $tmpfile cat $TEMPLATE \ | sed "s%^TOMCAT6_USER=.*$%TOMCAT6_USER=$TOMCAT6_USER%" \ | sed "s%^TOMCAT6_GROUP=.*$%TOMCAT6_GROUP=$TOMCAT6_GROUP%" \ | sed "s%^JAVA_OPTS=.*$%JAVA_OPTS=\"$JAVA_OPTS\"%" \ >> $tmpfile ucf --debconf-ok --sum-file /usr/share/tomcat6/defaults.md5sum $tmpfile $CONFFILE rm -f $tmpfile if ! getent group "$TOMCAT6_GROUP" > /dev/null 2>&1 ; then addgroup --system "$TOMCAT6_GROUP" --quiet fi if ! id $TOMCAT6_USER > /dev/null 2>&1 ; then adduser --system --home /usr/share/tomcat6 --no-create-home \ --ingroup "$TOMCAT6_GROUP" --disabled-password --shell /bin/false \ "$TOMCAT6_USER" fi chown -R $TOMCAT6_USER:adm /var/log/tomcat6 /var/cache/tomcat6 chmod 750 /var/log/tomcat6 /var/cache/tomcat6 # populate /etc/logrotate.d/tomcat6 tmpfile=`mktemp /tmp/tomcat6.XXXXXXXXXX` chmod 644 $tmpfile cat $LR_TEMPLATE | sed "s%create 640 tomcat6 adm%create 640 $TOMCAT6_USER adm%" >> $tmpfile ucf --debconf-ok --sum-file /usr/share/tomcat6/logrotate.md5sum $tmpfile $LR_CONFFILE rm -f $tmpfile # configuration files should not be modifiable by tomcat6 user, as this can be a security issue # (an attacker may insert code in a webapp and have access to all tomcat configuration) # but those files should be readable by tomcat6, so we set the group to tomcat6 chown -Rh root:$TOMCAT6_GROUP /etc/tomcat6/* chmod 640 /etc/tomcat6/tomcat-users.xml chown -Rh $TOMCAT6_USER:$TOMCAT6_GROUP /var/lib/tomcat6/webapps /var/lib/tomcat6/common /var/lib/tomcat6/server /var/lib/tomcat6/shared chmod 775 /var/lib/tomcat6/webapps chmod 775 /etc/tomcat6/Catalina /etc/tomcat6/Catalina/localhost # Authorize user tomcat6 to open privileged ports via authbind. TOMCAT_UID="`id -u $TOMCAT6_USER`" if [ ! -f "/etc/authbind/byuid/$TOMCAT_UID" ]; then if [ ! -d "/etc/authbind/byuid" ]; then mkdir -p /etc/authbind/byuid chmod 755 /etc/authbind chmod 755 /etc/authbind/byuid fi echo '0.0.0.0/0:1,1023' >/etc/authbind/byuid/$TOMCAT_UID chown $TOMCAT6_USER:$TOMCAT6_GROUP /etc/authbind/byuid/$TOMCAT_UID chmod 700 /etc/authbind/byuid/$TOMCAT_UID fi ;; esac if [ ! -d /var/lib/tomcat6/webapps/ROOT ]; then cp -r /usr/share/tomcat6-root/default_root /var/lib/tomcat6/webapps/ROOT fi #DEBHELPER# debian/policy/0000775000000000000000000000000012300245614010464 5ustar debian/policy/examples/0000775000000000000000000000000012300245614012302 5ustar debian/policy/examples/10examples.policy0000664000000000000000000000027412300245614015505 0ustar grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.io.FilePermission "/usr/share/tomcat6-examples/examples/WEB-INF/classes/logging.properties", "read"; }; debian/policy/50local.policy0000664000000000000000000000315612300245614013151 0ustar // You can assign additional permissions to particular web applications by // adding additional "grant" entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory. // // For instance, assume that the standard "examples" application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a "grant" entries like this: // // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.base}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; debian/policy/04webapps.policy0000664000000000000000000000613512300245614013517 0ustar // ========== WEB APPLICATION PERMISSIONS ===================================== // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.naming.*", "read"; permission java.util.PropertyPermission "javax.sql.*", "read"; // OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; // JVM properties to allow read access permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; // Required for OpenJMX permission java.lang.RuntimePermission "getAttribute"; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission "jaxp.debug", "read"; // Precompiled JSPs need access to this package. permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; // Example JSPs need those to work properly permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Precompiled JSPs need access to this system property. permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; // java.io.tmpdir should be usable as a temporary file directory permission java.util.PropertyPermission "java.io.tmpdir", "read"; permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete"; }; debian/policy/01system.policy0000664000000000000000000000421612300245614013375 0ustar // Licensed to the Apache Software Foundation (ASF) under one or more // contributor license agreements. See the NOTICE file distributed with // this work for additional information regarding copyright ownership. // The ASF licenses this file to You under the Apache License, Version 2.0 // (the "License"); you may not use this file except in compliance with // the License. You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // ============================================================================ // catalina.corepolicy - Security Policy Permissions for Tomcat 6 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition // to the permissions granted here, the following additional permissions are // granted to the codebase specific to each web application: // // * Read access to the document root directory // // $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $ // ============================================================================ // ========== SYSTEM CODE PERMISSIONS ========================================= // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; debian/policy/02debian.policy0000664000000000000000000000051212300245614013267 0ustar // These permissions apply to all JARs from Debian packages grant codeBase "file:/usr/share/java/-" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/maven-repo/-" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/ant/lib/-" { permission java.security.AllPermission; }; debian/policy/03catalina.policy0000664000000000000000000000355212300245614013631 0ustar // ========== CATALINA CODE PERMISSIONS ======================================= // These permissions apply to the logging API grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; permission java.util.logging.LoggingPermission "control"; permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; // To enable per context logging configuration, permit read access to the appropriate file. // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the "lib" directory grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; debian/README.source0000664000000000000000000000041612300245614011345 0ustar Patch System ============ This package uses quilt to manage all modifications to the upstream source. Changes are stored in the source package as diffs in debian/patches and applied during the build. See /usr/share/doc/quilt/README.source for a detailed explanation. debian/tomcat6.init0000664000000000000000000001755513361372242011452 0ustar #!/bin/sh # # /etc/init.d/tomcat6 -- startup script for the Tomcat 6 servlet engine # # Written by Miquel van Smoorenburg . # Modified for Debian GNU/Linux by Ian Murdock . # Modified for Tomcat by Stefan Gybas . # Modified for Tomcat6 by Thierry Carrez . # Additional improvements by Jason Brittain . # ### BEGIN INIT INFO # Provides: tomcat6 # Required-Start: $local_fs $remote_fs $network # Required-Stop: $local_fs $remote_fs $network # Should-Start: $named # Should-Stop: $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start Tomcat. # Description: Start the Tomcat servlet engine. ### END INIT INFO set -e PATH=/bin:/usr/bin:/sbin:/usr/sbin NAME="$(basename "$0" | sed 's/^[KS][0-9]\{2\}//')" DESC="Tomcat servlet engine" DEFAULT=/etc/default/$NAME JVM_TMP=/tmp/tomcat6-$NAME-tmp if [ `id -u` -ne 0 ]; then echo "You need root privileges to run this script" exit 1 fi # Make sure tomcat is started with system locale if [ -r /etc/default/locale ]; then . /etc/default/locale export LANG fi . /lib/lsb/init-functions if [ -r /etc/default/rcS ]; then . /etc/default/rcS fi # The following variables can be overwritten in $DEFAULT # Run Tomcat 6 as this user ID and group ID TOMCAT6_USER=tomcat6 TOMCAT6_GROUP=tomcat6 # this is a work-around until there is a suitable runtime replacement # for dpkg-architecture for arch:all packages # this function sets the variable OPENJDKS find_openjdks() { for jvmdir in /usr/lib/jvm/java-7-openjdk-* do if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-7-openjdk-common" ] then OPENJDKS=$jvmdir fi done for jvmdir in /usr/lib/jvm/java-6-openjdk-* do if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-6-openjdk-common" ] then OPENJDKS="${OPENJDKS} ${jvmdir}" fi done } # The first existing directory is used for JAVA_HOME (if JAVA_HOME is not # defined in $DEFAULT) OPENJDKS="" find_openjdks JDK_DIRS="/usr/lib/jvm/default-java ${OPENJDKS} /usr/lib/jvm/java-6-sun /usr/lib/jvm/java-1.5.0-sun /usr/lib/j2sdk1.5-sun /usr/lib/j2sdk1.5-ibm" # Look for the right JVM to use for jdir in $JDK_DIRS; do if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then JAVA_HOME="$jdir" fi done export JAVA_HOME # Directory where the Tomcat 6 binary distribution resides CATALINA_HOME=/usr/share/tomcat6 # Directory for per-instance configuration files and webapps CATALINA_BASE=/var/lib/$NAME # Use the Java security manager? (yes/no) TOMCAT6_SECURITY=no # Default Java options # Set java.awt.headless=true if JAVA_OPTS is not set so the # Xalan XSL transformer can work without X11 display on JDK 1.4+ # It also looks like the default heap size of 64M is not enough for most cases # so the maximum heap size is set to 128M if [ -z "$JAVA_OPTS" ]; then JAVA_OPTS="-Djava.awt.headless=true -Xmx128M" fi # End of variables that can be overwritten in $DEFAULT # overwrite settings from default file if [ -f "$DEFAULT" ]; then . "$DEFAULT" fi if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then log_failure_msg "$NAME is not installed" exit 1 fi POLICY_CACHE="$CATALINA_BASE/work/catalina.policy" if [ -z "$CATALINA_TMPDIR" ]; then CATALINA_TMPDIR="$JVM_TMP" fi # Set the JSP compiler if set in the tomcat6.default file if [ -n "$JSP_COMPILER" ]; then JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\"" fi SECURITY="" if [ "$TOMCAT6_SECURITY" = "yes" ]; then SECURITY="-security" fi # Define other required variables CATALINA_PID="/var/run/$NAME.pid" CATALINA_SH="$CATALINA_HOME/bin/catalina.sh" # Look for Java Secure Sockets Extension (JSSE) JARs if [ -z "${JSSE_HOME}" -a -r "${JAVA_HOME}/jre/lib/jsse.jar" ]; then JSSE_HOME="${JAVA_HOME}/jre/" fi catalina_sh() { # Escape any double quotes in the value of JAVA_OPTS JAVA_OPTS="$(echo $JAVA_OPTS | sed 's/\"/\\\"/g')" AUTHBIND_COMMAND="" if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true" AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c " fi # Define the command to run Tomcat's catalina.sh as a daemon # set -a tells sh to export assigned variables to spawned shells. TOMCAT_SH="set -a; JAVA_HOME=\"$JAVA_HOME\"; source \"$DEFAULT\"; \ CATALINA_HOME=\"$CATALINA_HOME\"; \ CATALINA_BASE=\"$CATALINA_BASE\"; \ JAVA_OPTS=\"$JAVA_OPTS\"; \ CATALINA_PID=\"$CATALINA_PID\"; \ CATALINA_TMPDIR=\"$CATALINA_TMPDIR\"; \ LANG=\"$LANG\"; JSSE_HOME=\"$JSSE_HOME\"; \ cd \"$CATALINA_BASE\"; \ \"$CATALINA_SH\" $@" if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then TOMCAT_SH="'$TOMCAT_SH'" fi # Run the catalina.sh script as a daemon set +e if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then install -o $TOMCAT6_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out fi install -o $TOMCAT6_USER -g adm -m 644 /dev/null "$CATALINA_PID" start-stop-daemon --start -b -u "$TOMCAT6_USER" -g "$TOMCAT6_GROUP" \ -c "$TOMCAT6_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \ -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH" status="$?" set +a -e return $status } case "$1" in start) if [ -z "$JAVA_HOME" ]; then log_failure_msg "no JDK found - please set JAVA_HOME" exit 1 fi if [ ! -d "$CATALINA_BASE/conf" ]; then log_failure_msg "invalid CATALINA_BASE: $CATALINA_BASE" exit 1 fi log_daemon_msg "Starting $DESC" "$NAME" if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \ >/dev/null; then # Regenerate POLICY_CACHE file umask 022 echo "// AUTO-GENERATED FILE from /etc/tomcat6/policy.d/" \ > "$POLICY_CACHE" echo "" >> "$POLICY_CACHE" cat $CATALINA_BASE/conf/policy.d/*.policy \ >> "$POLICY_CACHE" # Remove / recreate JVM_TMP directory rm -rf "$JVM_TMP" mkdir -p "$JVM_TMP" || { log_failure_msg "could not create JVM temporary directory" exit 1 } chown $TOMCAT6_USER "$JVM_TMP" catalina_sh start $SECURITY sleep 5 if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \ >/dev/null; then if [ -f "$CATALINA_PID" ]; then rm -f "$CATALINA_PID" fi log_end_msg 1 else log_end_msg 0 fi else log_progress_msg "(already running)" log_end_msg 0 fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" set +e if [ -f "$CATALINA_PID" ]; then start-stop-daemon --stop --pidfile "$CATALINA_PID" \ --user "$TOMCAT6_USER" \ --retry=TERM/20/KILL/5 >/dev/null if [ $? -eq 1 ]; then log_progress_msg "$DESC is not running but pid file exists, cleaning up" elif [ $? -eq 3 ]; then PID="`cat $CATALINA_PID`" log_failure_msg "Failed to stop $NAME (pid $PID)" exit 1 fi rm -f "$CATALINA_PID" rm -rf "$JVM_TMP" else log_progress_msg "(not running)" fi log_end_msg 0 set -e ;; status) set +e start-stop-daemon --test --start --pidfile "$CATALINA_PID" \ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \ >/dev/null 2>&1 if [ "$?" = "0" ]; then if [ -f "$CATALINA_PID" ]; then log_success_msg "$DESC is not running, but pid file exists." exit 1 else log_success_msg "$DESC is not running." exit 3 fi else log_success_msg "$DESC is running with pid `cat $CATALINA_PID`" fi set -e ;; restart|force-reload) if [ -f "$CATALINA_PID" ]; then $0 stop sleep 1 fi $0 start ;; try-restart) if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \ --user $TOMCAT6_USER --exec "$JAVA_HOME/bin/java" \ >/dev/null; then $0 start fi ;; *) log_success_msg "Usage: $0 {start|stop|restart|try-restart|force-reload|status}" exit 1 ;; esac exit 0 debian/logrotate.md5sum0000664000000000000000000000006512300245614012322 0ustar b5420492288987ba126ea151bd92852d logrotate.template debian/tomcat6-admin.install0000664000000000000000000000036012300245614013217 0ustar debian/context/manager.xml /etc/tomcat6/Catalina/localhost/ output/build/webapps/manager /usr/share/tomcat6-admin/ debian/context/host-manager.xml /etc/tomcat6/Catalina/localhost/ output/build/webapps/host-manager /usr/share/tomcat6-admin/ debian/tomcat6.templates0000664000000000000000000000172412300245614012466 0ustar Template: tomcat6/username Type: string Default: tomcat6 _Description: Dedicated system account for the tomcat6 daemon: The tomcat6 server must use a dedicated account for its operation so that the system's security is not compromised by running it with superuser privileges. Template: tomcat6/groupname Type: string Default: tomcat6 _Description: Dedicated system group for the tomcat6 daemon: The tomcat6 server must use a dedicated group for its operation so that the system's security is not compromised by running it with superuser privileges. Template: tomcat6/javaopts Type: string Default: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC _Description: Please choose the tomcat6 JVM Java options: Tomcat's JVM will be launched with a specific set of Java options. . Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:+CMSIncrementalMode option if you run Tomcat on a machine with exactly one CPU chip that contains one or two cores. debian/tomcat6.dirs0000664000000000000000000000030612300245614011424 0ustar var/log/tomcat6 var/lib/tomcat6/webapps var/lib/tomcat6/common/classes var/lib/tomcat6/server/classes var/lib/tomcat6/shared/classes var/cache/tomcat6 etc/tomcat6/Catalina/localhost etc/logrotate.d debian/tomcat6.prerm0000664000000000000000000000056212300245614011614 0ustar #!/bin/sh set -e case "$1" in remove) [ -f /etc/default/tomcat6 ] && . /etc/default/tomcat6 [ -z "$TOMCAT6_USER" ] && TOMCAT6_USER="tomcat6" # Remove auth for tomcat6 to open privileged ports via authbind. TOMCAT_UID="`id -u $TOMCAT6_USER`" if [ -f "/etc/authbind/byuid/$TOMCAT_UID" ]; then rm -f /etc/authbind/byuid/$TOMCAT_UID fi ;; esac #DEBHELPER# debian/tomcat6.postrm0000664000000000000000000000604012300245614012010 0ustar #!/bin/sh set -e #DEBHELPER# CONFFILE=/etc/default/tomcat6 LR_CONFFILE=/etc/logrotate.d/tomcat6 # Remove cached files and auto-generated catalina.policy rm -rf /var/cache/tomcat6/* case "$1" in remove) # Remove ROOT webapp if not modified RWLOC="/var/lib/tomcat6/webapps/ROOT" RWFILES="$RWLOC/index.html $RWLOC/META-INF/context.xml" if [ "`(cat $RWFILES | md5sum -) 2>/dev/null | cut -d ' ' -f 1`" \ = "c05987dd6c6bcbd651889e9a0ec98ade" ] ; then rm $RWFILES rmdir --ignore-fail-on-non-empty \ /var/lib/tomcat6/webapps/ROOT/META-INF \ /var/lib/tomcat6/webapps/ROOT \ /var/lib/tomcat6/webapps \ /var/lib/tomcat6 || true fi if [ -d /var/lib/tomcat6/common ] && [ -z "`(find var/lib/tomcat6/common/classes -type f)`" ] ; then rmdir --ignore-fail-on-non-empty \ /var/lib/tomcat6/common/classes \ /var/lib/tomcat6/common || true fi if [ -d /var/lib/tomcat6/server ] && [ -z "`(find var/lib/tomcat6/server/classes -type f)`" ] ; then rmdir --ignore-fail-on-non-empty \ /var/lib/tomcat6/server/classes \ /var/lib/tomcat6/server || true fi if [ -d /var/lib/tomcat6/shared ] && [ -z "`(find var/lib/tomcat6/shared/classes -type f)`" ] ; then rmdir --ignore-fail-on-non-empty \ /var/lib/tomcat6/shared/classes \ /var/lib/tomcat6/shared || true fi if [ -d "/var/cache/tomcat6" ] ; then rm -rf /var/cache/tomcat6 fi ;; purge) # ignore errors during purge set +e if [ -x "/usr/bin/ucf" ]; then ucf --purge $CONFFILE ucf --purge $LR_CONFFILE fi rm -rf /var/log/tomcat6 /var/lib/tomcat6/temp $CONFFILE $LR_CONFFILE if [ -d "/var/lib/tomcat6" ] ; then rmdir --ignore-fail-on-non-empty /var/lib/tomcat6 fi rmdir --ignore-fail-on-non-empty /etc/tomcat6/policy.d \ /etc/tomcat6/Catalina/localhost /etc/tomcat6/Catalina /etc/tomcat6 # clean up /etc/authbind after conffiles have been removed rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind # Put all files owned by group tomcat6 back into root group before deleting # the tomcat6 user and group chown -Rhf root:root /etc/tomcat6/ || true # Remove user/group and log files (don't remove everything under # /var/lib/tomcat6 because there might be user-installed webapps) db_get tomcat6/username && TOMCAT6_USER="$RET" || TOMCAT6_USER="tomcat6" db_get tomcat6/groupname && TOMCAT6_GROUP="$RET" || TOMCAT6_GROUP="tomcat6" deluser $TOMCAT6_USER delgroup $TOMCAT6_GROUP set -e ;; upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) # Nothing to do here ;; *) echo "$0 called with unknown argument \`$1'" >&2 exit 1 ;; esac debian/tomcat6-docs.links0000664000000000000000000000007612300245614012535 0ustar /usr/share/tomcat6-docs/docs /usr/share/doc/tomcat6-docs/docs debian/logging.properties0000664000000000000000000000450212300245614012732 0ustar # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler .handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler ############################################################ # Handler specific properties. # Describes specific configuration info for Handlers. ############################################################ 1catalina.org.apache.juli.FileHandler.level = FINE 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.FileHandler.prefix = catalina. 2localhost.org.apache.juli.FileHandler.level = FINE 2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 2localhost.org.apache.juli.FileHandler.prefix = localhost. java.util.logging.ConsoleHandler.level = FINE java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter ############################################################ # Facility specific properties. # Provides extra control for each logger. ############################################################ org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler # For example, set the com.xyz.foo logger to only log SEVERE # messages: #org.apache.catalina.startup.ContextConfig.level = FINE #org.apache.catalina.startup.HostConfig.level = FINE #org.apache.catalina.session.ManagerBase.level = FINE #org.apache.catalina.core.AprLifecycleListener.level=FINE debian/tomcat6-instance-create0000664000000000000000000000765512300245614013545 0ustar #!/bin/sh # Script to create a CATALINA_BASE directory for your own tomcat PROG=`basename $0` TARGET="" HPORT=8080 CPORT=8005 CWORD="SHUTDOWN" warned=0 warnlowport=0 usage() { echo "Usage: $PROG [options] " echo " directoryname: name of the tomcat instance directory to create" echo "Options:" echo " -h, --help Display this help message" echo " -p httpport HTTP port to be used by Tomcat (default is $HPORT)" echo " -c controlport Server shutdown control port (default is $CPORT)" echo " -w magicword Word to send to trigger shutdown (default is $CWORD)" } checkport() { type=$1 port=$2 # Fail if port is non-numeric if ! echo $port | grep -Eq '^\-?[0-9]+$' ; then echo "Error: ${type} port '${port}' is not a valid TCP port number." exit 1 fi # If Control port is -1 , no need to check any further. if [ "$type" = "Control" ] && [ $port -eq -1 ]; then echo "Warning: Control port disabled. You will have to shutdown the server manually, by using OS signals." return fi # Fail if port is 0 or negative if [ $port -le 0 ]; then echo "Error: ${type} port '${port}' is not a valid TCP port number." exit 1 fi # Fail if port is above 65535 if [ ${port} -gt 65535 ]; then echo "Error: ${type} port ${port} is above TCP port numbers (> 65535)." exit 1 fi # Warn if port is below 1024 (once) if [ ${warnlowport} -eq 0 ]; then if [ ${port} -lt 1024 ]; then echo "Warning: ports below 1024 are reserved to the super-user." warnlowport=1 warned=1 fi fi # Warn if port appears to be in use if nc localhost "${port}" -z > /dev/null; then echo "Warning: ${type} port ${port} appears to be in use." warned=1 fi } if [ "$#" -lt 1 ]; then usage exit 1 fi if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then usage exit 0 fi while getopts ":p:c:w:h" options; do case $options in p ) HPORT=$OPTARG ;; c ) CPORT=$OPTARG ;; w ) CWORD=$OPTARG ;; h ) usage;; * ) echo "Error: Unknown parameter '$OPTARG'." exit 1;; esac done shift $(($OPTIND - 1)) TARGET=$1 shift echo "You are about to create a Tomcat instance in directory '$TARGET'" # Fail if no target specified if [ -z "${TARGET}" ]; then echo "Error: No target directory specified (use -d)." exit 1 fi # Fail if ports are the same if [ "${HPORT}" = "${CPORT}" ]; then echo "Error: HTTP port and control port must be different." exit 1 fi # Fail if target directory already exists if [ -d "${TARGET}" ]; then echo "Error: Target directory already exists." exit 1 fi # Check ports checkport HTTP "${HPORT}" checkport Control "${CPORT}" # Ask for confirmation if warnings were printed out if [ ${warned} -eq 1 ]; then echo "Type to continue, to abort." read answer fi mkdir -p "${TARGET}" FULLTARGET=`cd "${TARGET}" > /dev/null && pwd` mkdir "${TARGET}/conf" mkdir "${TARGET}/logs" mkdir "${TARGET}/webapps" mkdir "${TARGET}/work" mkdir "${TARGET}/temp" cp -r /usr/share/tomcat6/skel/* "${TARGET}" # Create necessary symbolic links so that eclipse can be properly configured ln -s /usr/share/tomcat6/lib "${TARGET}/lib" ln -s /usr/share/tomcat6/bin/bootstrap.jar "${TARGET}/bin/bootstrap.jar" sed -i -e "s/Connector port=\"8080\"/Connector port=\"${HPORT}\"/;s/Server port=\"8005\" shutdown=\"SHUTDOWN\"/Server port=\"${CPORT}\" shutdown=\"${CWORD}\"/" "${TARGET}/conf/server.xml" cat > "${TARGET}/bin/startup.sh" << EOT #!/bin/sh export CATALINA_BASE="${FULLTARGET}" /usr/share/tomcat6/bin/startup.sh echo "Tomcat started" EOT cat > "${TARGET}/bin/shutdown.sh" << EOT #!/bin/sh export CATALINA_BASE="${FULLTARGET}" /usr/share/tomcat6/bin/shutdown.sh echo "Tomcat stopped" EOT chmod a+x "${TARGET}/bin/startup.sh" "${TARGET}/bin/shutdown.sh" echo "* New Tomcat instance created in ${TARGET}" echo "* You might want to edit default configuration in ${TARGET}/conf" echo "* Run ${TARGET}/bin/startup.sh to start your Tomcat instance" debian/libservlet2.5-java.poms0000664000000000000000000000015712300245614013407 0ustar debian/poms/servlet-api.pom --no-parent debian/poms/jsp-api.pom --no-parent debian/poms/el-api.pom --no-parent debian/README.Debian0000664000000000000000000001434112300245614011231 0ustar Getting started: * After installing the tomcat6 package, the server should be accessible at http://localhost:8080/ * If you install tomcat6-admin, then you need to edit /etc/tomcat6/tomcat-users.xml and add to it the following: Tomcat administration will be accessible on http://localhost:8080/manager/html * Tomcat is not running under a Java security manager by default. If you expose your Tomcat instance to the internet, please consider editing your /etc/default/tomcat6 file and set TOMCAT6_SECURITY="yes", then adjust policy files in /etc/tomcat6/policy.d/ as explained in http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html * To run more than one Tomcat instance on your server, install the package tomcat6-user and run the tomcat6-instance-create utility. You should remove the tomcat6 package if you don't want Tomcat to start as a daemon at boot time. * If you configure your Tomcat to listen on one or more privileged ports (such as port 80 or port 443), then you may now enable authbind in your /etc/default/tomcat6 file. The authbind package can allow your Tomcat JVM user (a non-root user) to listen on privileged ports. Set AUTHBIND="yes" to enable it, and then configure your Tomcat to listen on any port number you wish. See the "man authbind" for information on configuring authbind. SECURITY: Tomcat 6 session cookies are sent with the httponly flag disabled by default. It is recommended as a proactive security measure to turn this setting on to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen' via JavaScript, a common vector in such attacks. The httponly setting can be enabled by adding the useHttpOnly attribute to in /etc/tomcat6/context.xml: Httponly not being on by default is referred to as CVE-2010-4172. NEWS: tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low * The tomcat6 package no longer uses the jsvc native service runner. Instead, by default, the init script invokes the catalina.sh script, and Tomcat does not attempt to open any server sockets on ports below 1024. If you configure your Tomcat to listen on one or more privileged ports (such as port 80 or port 443), then you may now enable authbind in your /etc/default/tomcat6 file. The authbind package can allow your Tomcat JVM user (a non-root user) to listen on privileged ports. Set AUTHBIND="yes" to enable it, and then configure your Tomcat to listen on any port number you wish. See the "man authbind" for information on configuring authbind. * The Tomcat security manager is now disabled by default. Previous versions of this package enabled the Tomcat security manager by default. A large number of users reported exceptions where the root cause was that the security manager was enabled by default. In nearly all of these cases, the users are unfamiliar with the Java security manager, and are not interested in trying to define security manager rules for their webapps -- they just want it to run. Disabling the security manager fixes it for them. Today, most Tomcat users run Tomcat with the security manager disabled. Those who intentionally enable it are the minority, and they tend to know how it works. If you are currently using the security manager, and would like to continue using it after upgrading to tomcat6-6.0.20-10 or higher, edit your /etc/default/tomcat6 file and set TOMCAT6_SECURITY="yes". -- Jason Brittain Thu, 28 Jan 2010 17:15:03 +0000 Differences introduced in the tomcat6-6.0.20-5 release: - New folders have been created in /var/lib/tomcat6 to allow an administrator to add shared classes or libraries. The layout is as follow: /var/lib/tomcat6/common - put there jar files to be loaded by the common classloader /var/lib/tomcat6/common/classes - put there classes to be loaded by the common classloader /var/lib/tomcat6/server - put there jar files to be loaded by the server classloader /var/lib/tomcat6/server/classes - put there classes to be loaded by the server classloader /var/lib/tomcat6/shared - put there jar files to be loaded by the shared classloader /var/lib/tomcat6/shared/classes - put there classes to be loaded by the shared classloader -- Ludovic Claude Sat, 25 Jul 2009 11:15:00 +0100 Differences introduced in the tomcat6-6.0.18-0ubuntu4 release: - The default JVM temporary directory (java.io.tmpdir), which originally was located in /var/lib/tomcat6/temp, was moved to /tmp/tomcat6-temp. You can change its location by editing the JVM_TMP setting in /etc/default/tomcat6. This directory will get purged every time Tomcat starts (or stops). The default security policy was modified to allow webapps to use that directory for temporary file creation. -- Thierry Carrez Wed, 26 Nov 2008 15:54:17 +0000 Main differences with the Tomcat 5.5 packages: - These packages conform to the CATALINA_BASE spec described in RUNNING.txt, in order to be able to run multiple instances of Tomcat on the same machine. - The tomcat6 package installs the system instance and init scripts with CATALINA_BASE in /var/lib/tomcat6. It installs a minimal ROOT webapp to check that everything works correctly. - A new tomcat6-user package has been created. This package allows users to create their own user instance of tomcat (CATALINA_BASE) by calling the create-user-tomcat.sh script located in /usr/share/tomcat6/bin. It does not require to install the system instance (tomcat6 package). - The new package tomcat6-common contains files common to tomcat6-user and tomcat6. It implements the common CATALINA_HOME in /usr/share/tomcat6. - The docs (and associated webapp) have been put in a separate tomcat6-docs package. - The -webapps package has been replaced by a tomcat6-examples package that just contains the examples webapp. - The catalina.policy file for the system instance is now autogenerated in /var/cache/tomcat6. -- Thierry Carrez Thu, 24 Jul 2008 09:52:31 +0200 debian/libtomcat6-java.poms0000664000000000000000000000031212300245614013044 0ustar debian/poms/annotations-api.pom debian/poms/catalina.pom debian/poms/catalina-ha.pom debian/poms/coyote.pom debian/poms/jasper.pom debian/poms/jasper-el.pom debian/poms/juli.pom debian/poms/tribes.pom debian/defaults.md5sum0000664000000000000000000000004712300245614012131 0ustar 8db3c173dfe0df41b6515d946324d415 lucid debian/tomcat6.links0000664000000000000000000000031212300245614011600 0ustar /etc/tomcat6 /var/lib/tomcat6/conf /var/cache/tomcat6 /var/lib/tomcat6/work /var/log/tomcat6 /var/lib/tomcat6/logs /usr/share/doc/tomcat6-common/README.Debian.gz /usr/share/doc/tomcat6/README.Debian.gz debian/maven.publishedRules0000664000000000000000000000035112300245614013206 0ustar # Convert tomcat version of the standard apis to the javax apis s/org.apache.tomcat/javax.servlet/ servlet-api jar s/.*/2.5/ s/org.apache.tomcat/javax.servlet/ jsp-api jar s/.*/2.1/ s/org.apache.tomcat/javax.el/ el-api jar s/.*/2.1/ debian/po/0000775000000000000000000000000012300245614007603 5ustar debian/po/ja.po0000664000000000000000000000557212300245614010546 0ustar # Copyright (C) Debian Java Maintainers # This file is distributed under the same license as the tomcat6 package. # Hideki Yamane , 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat6 6.0.28-4\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-10 08:04-0400\n" "Last-Translator: Hideki Yamane \n" "Language-Team: Japanese \n" "Language: Japanese\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "tomcat6 デーモン専用のシステムアカウント:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "tomcat6 サーバは、動作するのに専用アカウントを利用する必要があります。" "これによって、システムのセキュリティは特権ユーザ権限で動作させることによる" "侵害を受けなくなります。" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "tomcat6 デーモン専用のシステムグループ:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "tomcat6 サーバは、動作するのに専用グループを利用する必要があります。" "これによって、システムのセキュリティは特権ユーザ権限で動作させることによる" "侵害を受けなくなります。" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "tomcat6 JVM Java オプションを選択してください:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcat の JVM は特定の Java オプションを指定して起動されます。" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Tomcat を 1, 2 コアの CPU が 1 個しかないマシンで動作させる場合、" "-XX:+UseConcMarkSweepGC を使う際には -XX:+CMSIncrementalMode オプションを使う" "必要があることに注意してください。" debian/po/POTFILES.in0000664000000000000000000000005412300245614011357 0ustar [type: gettext/rfc822deb] tomcat6.templates debian/po/it.po0000664000000000000000000000532412300245614010563 0ustar # Italian translation of tomcat6'S PO-DEBCONF FILE. # Copyright (C) 2011 THE tomcat6'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat6 package. # Dario Santamaria , 2011. # Collaboratively translated during an online sprint, thanks to all contributors! # msgid "" msgstr "" "Project-Id-Version: 6.0.32-3\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2011-04-14 22:00+0100\n" "Last-Translator: Dario Santamaria \n" "Language-Team: Italian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Account di sistema dedicato per il demone tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Il server tomcat6 deve utilizzare un account dedicato per le sue funzioni " "affinché la sicurezza del sistema non sia compromessa dall'esecuzione con " "i privilegi del superutente." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Gruppo di sistema dedicato per il demone tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Il server tomcat6 deve utilizzare un gruppo dedicato per le sue funzioni " "affinché la sicurezza del sistema non sia compromessa dall'esecuzione con " "i privilegi di superutente." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Scegliere le opzioni della JVM di tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "La JVM di Tomcat sarà eseguita con un insieme specifico di opzioni Java." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Attenzione che se si usa -XX:+UseConcMarkSweepGC si deve aggiungere l'opzione -XX:" "+CMSIncrementalMode se si esegue Tomcat su una macchina a singola " "CPU con uno o due core." debian/po/tr.po0000664000000000000000000000534212300245614010574 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # Atila KOÇ , 2012. # msgid "" msgstr "" "Project-Id-Version: tomcat6\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2012-03-15 13:34+0200\n" "Last-Translator: Atila KOÇ \n" "Language-Team: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "tomcat6 artalan sürecine özgü sistem hesabı:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "The tomcat6 server must use a dedicated account for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "tomcat6 sunucusu, işlevini gerçekleştirirken, süper kullanıcı hakları ile çalıştırılmasının getireceği güvenlik açıklarını engellemek için kendine özgü bir kullanıcı hesabı kullanmalıdır." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "tomcat6 artalan sürecine özgü sistem grubu:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "The tomcat6 server must use a dedicated group for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "tomcat6 sunucusu, işlevini gerçekleştirirken, süper kullanıcı hakları ile çalıştırılmasının getireceği güvenlik açıklarını engellemek için kendine özgü bir grup hesabı kullanmalıdır." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "tomcat6 için Java Sanal Makinesi (JVM) Java seçeneklerini seçiniz:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcat'in Java Sanal Makinesi (JVM) özel bir Java seçenekleri kümesi ile başlatılacaktır." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:+CMSIncrementalMode option if you run Tomcat on a machine with exactly one CPU chip that contains one or two cores." msgstr "Eğer Tomcat'i içerisinde bir ya da iki çekirdek barındıran tek işlemcili bir makine üzerinde çalıştırıyor ve -XX:+UseConcMarkSweepGC seçeneğini kullanıyorsanız, -XX:+CMSIncrementalMode seçeneğini de eklemelisiniz." debian/po/nl.po0000664000000000000000000000527712300245614010567 0ustar # Dutch translation of tomcat6 debconf templates. # Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat6 package. # Jeroen Schot , 2011. # msgid "" msgstr "" "Project-Id-Version: tomcat6 6.0.32-5\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2011-07-22 10:04+0200\n" "Last-Translator: Jeroen Schot \n" "Language-Team: Debian l10n Dutch \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: nl\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Speciale systeemaccount voor de tomcat6-achtergronddienst:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "De tomcat6-server moet een speciale account gebruiken voor zijn " "werkzaamheden, want als hij met beheerdersrechten wordt uitgevoerd kan dit " "de beveiliging van het systeem in gevaar brengen." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Speciale systeemgroep voor de tomcat6-achtergronddienst:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "De tomcat6-server moet een speciale groep gebruiken voor zijn werkzaamheden, " "want als hij met beheerdersrechten wordt uitgevoerd kan dit de beveiliging " "van het systeem in gevaar brengen." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Kies de tomcat6 JVM Java-opties:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcat's JVM wordt met een specifieke set Java-opties gelanceerd." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "N.B. Als u -XX:+UseConcMarkSweepGC gebruikt moet u de optie -XX:" "+CMSIncrementalMode toevoegen als u Tomcat op een machine met precies één " "CPU-chip met één of twee kernen gebruikt." debian/po/templates.pot0000664000000000000000000000352012300245614012325 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" debian/po/de.po0000664000000000000000000000530112300245614010532 0ustar # Translation of tomcat6 debconf templates to german. # Copyright (C) 2010, Holger Wansing. # This file is distributed under the same license as the tomcat6 package. # Holger Wansing , 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat6 6.0.28-4\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-15 12:59+0200\n" "Last-Translator: Holger Wansing \n" "Language-Team: German \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Eigenes Systemkonto für den Tomcat6-Daemon:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Der Tomcat6-Server muss ein eigenes Konto für seinen Betrieb verwenden, um " "die Sicherheit des Systems nicht durch die Ausführung mit Superuser-Rechten " "zu kompromittieren." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Eigene Systemgruppe für den Tomcat6-Daemon:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Der Tomcat6-Server muss eine eigene Gruppe für seinen Betrieb verwenden, um " "die Sicherheit des Systems nicht durch die Ausführung mit Superuser-Rechten " "zu kompromittieren." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Bitte wählen Sie die Java-Optionen für die Tomcat6-JVM:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Die Tomcat-JVM wird mit speziellen Java-Optionen gestartet." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Beachten Sie beim Einsatz auf Systemen mit genau einem CPU-Chip, der einen " "oder zwei Prozessorkerne enthält, dass bei Wahl der Option " "»-XX:+UseConcMarkSweepGC« auch die Option -XX:+CMSIncrementalMode zur " "Konfiguration hinzugefügt werden sollte." debian/po/es.po0000664000000000000000000000733112300245614010556 0ustar # tomcat6 po-debconf translation to Spanish # Copyright (C) 2010 Software in the Public Interest, SPI Inc. # This file is distributed under the same license as the tomcat6 package. # # Changes: # - Initial translation # Javier Fernández-Sanguino , 2010 # # # Traductores, si no conoce el formato PO, merece la pena leer la # documentación de gettext, especialmente las secciones dedicadas a este # formato, por ejemplo ejecutando: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Equipo de traducción al español, por favor lean antes de traducir # los siguientes documentos: # # - El proyecto de traducción de Debian al español # http://www.debian.org/intl/spanish/ # especialmente las notas y normas de traducción en # http://www.debian.org/intl/spanish/notas # # - La guía de traducción de po's de debconf: # /usr/share/doc/po-debconf/README-trans # o http://www.debian.org/intl/l10n/po-debconf/README-trans # # Si tiene dudas o consultas sobre esta traducción consulte con el último # traductor (campo Last-Translator) y ponga en copia a la lista de # traducción de Debian al español () # msgid "" msgstr "" "Project-Id-Version: tomcat6 6.0.28\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-08 02:14+0200\n" "Last-Translator: Javier Fernández-Sanguino \n" "Language-Team: Debian Spanish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-POFile-SpellExtra: tomcat Tomcat UseConcMarkSweepGC XX JVM cores\n" "X-POFile-SpellExtra: CMSIncrementalMode\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Cuenta del sistema dedicada para el servicio tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "El servidor tomcat6 debe utilizar una cuenta dedicada para su operación para no comprometer la seguridad del sistema al ejecutarlo con privilegios de superusuario." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Grupo de sistema dedicado para el servicio tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "El servidor tomcat6 debe utilizar un grupo dedicado para su operación para no comprometer la seguridad del sistema por ejecutarlo con los privilegios del superusuario." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Escoja las opciones del JVM Java de tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "La JVM de Tomcat puede ejecutarse con un conjunto específico de opciones de Java." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "Tenga en cuenta que si utiliza -XX:+UseConcMarkSweepGC debería añadir la opción -XX:+CMSIncrementalMode si ejecuta Tomcat en un equipo que tenga exáctamente un chip de CPU y que contenga uno o dos cores." debian/po/da.po0000664000000000000000000000517512300245614010537 0ustar # Danish translation tomcat6. # Copyright (C) 2010 tomcat6 & nedenstående oversættere. # This file is distributed under the same license as the tomcat6 package. # Joe Hansen (joedalton2@yahoo.dk), 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat6\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-11-27 12:42+0000\n" "Last-Translator: Joe Hansen \n" "Language-Team: Danish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Dedikeret systemkonto for tomcat6-dæmonen:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "tomcat6-serveren skal bruge en dedikeret konto for at fungere på en måde, der " "gør, at systemets sikkerhed ikke kompromitteres ved at køre den med " "superbrugerprivilegier." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Dedikeret systemgruppe for tomcat6-dæmonen:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "tomcat6-dæmonen skal bruge en dedikeret gruppe for at fungere på en måde, der " "gør, at systemets sikkerhed ikke kompromitteres ved at køre den med " "superbrugerprivilegier." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Vælg venligst indstillinger for tomcat6 JVM Java:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcats JVM vil blive igangsat med et specifikt sæt af Javaindstillinger." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Bemærkt at hvis du bruger -XX:+UseConcMarkSweepGC, skal du tilføje tilvalget " "-XX:+CMSIncrementalMode, hvis du kører Tomcat på en maskine med præcis " "en CPU-chip, som indeholder en eller to kerner." debian/po/sv.po0000664000000000000000000000515012300245614010574 0ustar # Swedish translation of debconf messages for tomcat6. # Copyright © 2010 Martin Bagge # This file is distributed under the same license as the schroot package. # # Martin Bagge , 2010. # msgid "" msgstr "" "Project-Id-Version: Tomcat 6\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-20 10:08+0100\n" "Last-Translator: Martin Bagge / brother \n" "Language-Team: Swedish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Swedish\n" "X-Poedit-Country: Sweden\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Systemanvändare för tomcat6-tjänsten:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Tomcat6-servern måste köra som en systemanvändare så att systemets säkerhet " "inte äventyras genom att köra tjänsten med superanvändarens rättigheter." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Systemgrupp för tomcat6-tjänsten:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Tomcat6-servern måste köra ha en systemgrupp så att systemets säkerhet inte " "äventyras genom att köra tjänsten med superanvändarens rättigheter." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Ange Java-flaggor för tomcat6 JVM:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" "Tomcats JVM kommer att startas med en särskild uppsättning Java-flaggor." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Om -XX:+UseConcMarkSweepGC används ska flaggan -XX:+CMSIncrementalMode " "användas om Tomcat körs på en maskin med endast en CPU med en eller två " "kärnor." debian/po/ko.po0000664000000000000000000000535712300245614010566 0ustar # Korean translation of tomcat6 debconf templates. # Copyright (C) 2011-2012 si-cheol Ko # This file is distributed under the same license as the tomcat6 package. # si-cheol Ko , 2011. # msgid "" msgstr "" "Project-Id-Version: OSCTP\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2011-06-11 15:27+0900\n" "Last-Translator: si-cheol KO \n" "Language-Team: Korean \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Korean\n" "X-Poedit-Country: KOREA, REPUBLIC OF\n" "X-Poedit-SourceCharset: utf-8\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "톰캣6 데몬을 위한 전용 시스템 계정:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "The tomcat6 server must use a dedicated account for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "서버의 동작을 위해 톰캣6 서버는 전용계정을 사용해야 합니다. 이렇게 하면 슈퍼 유저 권한으로 실행시키는 것보다 시스템 보안 측면에서 더 안전합니다." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "톰캣6 데몬을 위한 전용 시스템 그룹:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "The tomcat6 server must use a dedicated group for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "서버의 동작을 위해 톰캣6 서버는 전용그룹을 사용해야 합니다. 이렇게 하면 슈퍼 유저 권한으로 실행시키는 것보다 시스템 보안 측면에서 더 안전합니다." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "톰캣6 JVM 자바 옵션을 선택하세요:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "톰캣의 JVM은 자바 옵션의 세부설정과 함께 실행될 것입니다." #. Type: string #. Description #: ../tomcat6.templates:3001 #, fuzzy msgid "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:+CMSIncrementalMode option if you run Tomcat on a machine with exactly one CPU chip that contains one or two cores." msgstr "하나, 두개의 코어를 가진 CPU에서 톰캣의 -XX:+UseConcMarkSweepGC를 사용한다면, -XX:+CMSIncrementalMode옵션을 추가해야합니다." debian/po/sk.po0000664000000000000000000000514612300245614010566 0ustar # Slovak translation of tomcat6 debconf templates. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat6 package. # Ivan Masár , 2012. # msgid "" msgstr "" "Project-Id-Version: tomcat6\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2012-06-17 20:17+0100\n" "Last-Translator: Ivan Masár \n" "Language-Team: Slovak \n" "Language: sk\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Vyhradený systémový účet pre démona tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "The tomcat6 server must use a dedicated account for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "Server tomcat6 musí používať na svoju prevádzku vyhradený účet, aby nebola kompromitovaná bezpečnosť systému, keď sa spúšťa s oprávneniami superpoužívateľa." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Vyhradená systémová skupina pre démona tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "The tomcat6 server must use a dedicated group for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "Server tomcat6 musí používať na svoju prevádzku vyhradenú skupinu, aby nebola kompromitovaná bezpečnosť systému, keď sa spúšťa s oprávneniami superpoužívateľa." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Prosím, vyberte voľby JVM Java tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "JVM Tomcatu bude spustený s určenou sadou volieb Javy." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:+CMSIncrementalMode option if you run Tomcat on a machine with exactly one CPU chip that contains one or two cores." msgstr "Pamätajte, že ak použijete -XX:+UseConcMarkSweepGC, mali by ste pridať voľby -XX:+CMSIncrementalMode ak spúšťate Tomcat na počítači s práve jedným CPU, ktorý obsahuje jedno alebo dve jadrá." debian/po/pt_BR.po0000664000000000000000000000535512300245614011161 0ustar # Portuguese/Brazil translation of tomcat6. # Copyright (C) 2010 THE tomcat6'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat6 package. # José de Figueiredo , 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat6\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2011-01-18 09:04-0200\n" "Last-Translator: José de Figueiredo \n" "Language-Team: Brazilian Portuguese \n" "Language: pt_BR\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "pt_BR utf-8\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Conta de sistema dedicada para o daemon tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "O servidor tomcat6 deve usar uma conta dedicada para sua operação, desta " "forma a segurança do sistema não será comprometida por rodar com privilégios " "de superusuário." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Grupo de sistema dedicado para o daemon tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "O servidor tomcat6 deve usar um grupo dedicado para sua operação, desta " "forma a segurança do sistema não será comprometida por rodar com privilégios " "de superusuário." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Por favor, escolha as opções Java da JVM para o tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" "A JVM para o tomcat6 iniciará com um conjunto específico de opções Java." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Note que se você usar -XX:+UseConcMarkSweepGC você deverá adicionar a opção -" "XX:+CMSIncrementalMode se você rodar o Tomcat em uma máquina com exatamente " "um chip CPU que contenha um ou dois núcleos." debian/po/fr.po0000664000000000000000000000536312300245614010561 0ustar # Translation of tomcat6 debconf screens to French # Copyright (C) 2010 Debian French l10n team # This file is distributed under the same license as the tomcat6 package. # Translator: # Steve Petruzzello # msgid "" msgstr "" "Project-Id-Version: tomcat6_6.0.28_4\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-12 12:08+0200\n" "Last-Translator: Steve Petruzzello \n" "Language-Team: French \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Compte système dédié au démon tomcat6 :" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Le serveur tomcat6 nécessite un compte dédié pour fonctionner afin de ne pas " "compromettre la sécurité du système en s'exécutant avec les privilèges du " "superutilisateur." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Groupe système dédié au démon tomcat6 :" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Le serveur tomcat6 nécessite un groupe dédié pour fonctionner afin de ne pas " "compromettre la sécurité du système en s'exécutant avec les privilèges du " "superutilisateur." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Options de la machine virtuelle Java pour tomcat6 :" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" "La machine virtuelle Java (JVM) sera lancée avec un ensemble spécifique " "d'options Java. " #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Veuillez noter que si l'option -XX:+UseConcMarkSweepGC est utilisée, " "l'option -XX:+CMSIncrementMode devrait être ajoutée si Tomcat s'exécute sur " "une machine avec exactement un processeur contenant un ou deux cœurs." debian/po/ca.po0000664000000000000000000000527312300245614010535 0ustar # tomcat6 po-debconf translation to Catalan # Copyright (C) 2010 Software in the Public Interest, SPI Inc. # This file is distributed under the same license as the tomcat6 package. # Innocent De Marchi , 2011. # msgid "" msgstr "" "Project-Id-Version: tomcat6_6.0.32-3\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2011-06-01 18:21+0100\n" "Last-Translator: Innocent De Marchi \n" "Language-Team: Catalan \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Catalan\n" "X-Poedit-Country: Spain\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Compte del sistema dedicat al servei tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "The tomcat6 server must use a dedicated account for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "El servidor tomcat6 ha d'utilitzar un compte especial per al seu funcionament perquè la seguretat del sistema no es vegi compromesa en executar-ho amb privilegis de super-usuari." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Grup de sistema dedicat al servei tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "The tomcat6 server must use a dedicated group for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "El servidor tomcat6 ha d'utilitzar un grup especial per al seu funcionament perquè la seguretat del sistema no es vegi compromesa en executar-ho amb privilegis de super-usuari." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Elegiu les opcions de la JVM Java de tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "La JVM de Tomcat pot executar-se amb un conjunt específic d'opcions de Java." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:+CMSIncrementalMode option if you run Tomcat on a machine with exactly one CPU chip that contains one or two cores." msgstr "Teniu present que si feu servir «-XX:+UseConcMarkSweepGC» hauríeu d'afegir l'opció «-XX:+CMSIncrementalMode» si executau Tomcat en un equip amb (exactament) un xip UCP amb un o dos nuclis." debian/po/ru.po0000664000000000000000000000611312300245614010572 0ustar # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat6 package. # # Yuri Kozlov , 2010. msgid "" msgstr "" "Project-Id-Version: tomcat6 6.0.28-4\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-11 19:27+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.0\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Отдельная системная учётная запись для службы tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Для того, чтобы не подвергать риску безопасность системы, " "сервер tomcat6 требуется запускать с правами отдельной " "системной учётной записи." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Отдельная системная группа для службы tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Для того, чтобы не подвергать риску безопасность системы, " "сервер tomcat6 требуется запускать с правами отдельной " "группы." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Параметры Java для JVM tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcat JVM будет запущена с определённым набором параметров Java." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Заметим, что если вы используете -XX:+UseConcMarkSweepGC, то добавьте " "параметр -XX:+CMSIncrementalMode, если Tomcat работает на машине " "только с одним процессором, содержащим одно или два ядра." debian/po/pt.po0000664000000000000000000000540512300245614010572 0ustar # Translation of tomcat6's debconf messages do Portuguese # Copyright (C) 2010 the tomcat6's copyright holder # This file is distributed under the same license as the tomcat6 package. # # Américo Monteiro , 2010. msgid "" msgstr "" "Project-Id-Version: tomcat6 6.0.28-4\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-11 12:23+0100\n" "Last-Translator: Américo Monteiro \n" "Language-Team: Portuguese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.0\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Conta de sistema dedicada para o daemon do tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "O servidor tomcat6 precisa de usar um conta dedicada para a sua operação " "para que a segurança do sistema não seja comprometida ao corrê-lo com " "privilégios de super utilizador." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Grupo de sistema dedicado para o daemon do tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "O servidor tomcat6 precisa de usar um grupo dedicado para a sua operação " "para que a segurança do sistema não seja comprometida ao corrê-lo com " "privilégios de super utilizador." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Por favor escolha as opções Java JVM do tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" "O JVM do Tomcat será lançado com um conjunto específico de opções Java." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Note que se você usar -XX:+UseConcMarkSweepGC deverá adicionar a opção " "+CMSIncrementalMode se correr o Tomcat numa máquina com exactamente um chip " "CPU que contém um ou dois núcleos." debian/po/cs.po0000664000000000000000000000533112300245614010552 0ustar # Czech PO debconf template translation of tomcat6. # Copyright (C) 2010 Michal Simunek # This file is distributed under the same license as the tomcat6 package. # Michal Simunek , 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat6 6.0.28-6\n" "Report-Msgid-Bugs-To: tomcat6@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-09-23 18:01+0200\n" "Last-Translator: Michal Simunek \n" "Language-Team: Czech \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "Dedicated system account for the tomcat6 daemon:" msgstr "Vyhrazený systémový účet pro démona tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:1001 msgid "" "The tomcat6 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Server tomcat6 musí ke své činnosti používat vyhrazený účet, jen tak " "není ohrožena bezpečnost systému, jako v případě spouštění s právy " "superuživatele." #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "Dedicated system group for the tomcat6 daemon:" msgstr "Vyhrazená systémová skupina uživatelů pro démona tomcat6:" #. Type: string #. Description #: ../tomcat6.templates:2001 msgid "" "The tomcat6 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Server tomcat6 musí ke své činnosti používat vyhrazenou skupinu uživatelů, " "jen tak není ohrožena bezpečnost systému, jako v případě spouštění s právy " "superuživatele." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Please choose the tomcat6 JVM Java options:" msgstr "Zadejte prosím volby Java pro tomcat6 JVM:" #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "JVM pro Tomcat bude spuštěna se zadanou sadou voleb pro Javu." #. Type: string #. Description #: ../tomcat6.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Berte na vědomí, že pokud použijete -XX:+UseConcMarkSweepGC, musíte, v případě " "že spouštíte Tomcat na počítači s jedním CPU čipem, který obsahuje jedno či " "dvě jádra, připojit volbu -XX:+CMSIncrementalMode." debian/patches/0000775000000000000000000000000013361370577010633 5ustar debian/patches/CVE-2014-0119-1.patch0000664000000000000000000000716713357743031013410 0ustar From: markt Date: Thu Apr 24 08:54:26 2014 UTC (4 years, 5 months ago) Description: Avoid memory leak and add small optimisation to default Servlet This is part 1 of 3 of the fix for CVE-2014-0119 --- .../catalina/security/SecurityClassLoad.java | 13 +++++++++++++ .../apache/catalina/servlets/DefaultServlet.java | 15 ++++++++++----- webapps/docs/changelog.xml | 4 ++++ 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/java/org/apache/catalina/security/SecurityClassLoad.java b/java/org/apache/catalina/security/SecurityClassLoad.java index 014891b..11a8a66 100644 --- a/java/org/apache/catalina/security/SecurityClassLoad.java +++ b/java/org/apache/catalina/security/SecurityClassLoad.java @@ -39,6 +39,7 @@ public final class SecurityClassLoad { loadCorePackage(loader); loadLoaderPackage(loader); + loadServletsPackage(loader); loadSessionPackage(loader); loadUtilPackage(loader); loadJavaxPackage(loader); @@ -81,6 +82,18 @@ public final class SecurityClassLoad { } + private static final void loadServletsPackage(ClassLoader loader) + throws Exception { + final String basePackage = "org.apache.catalina.servlets."; + // Avoid a possible memory leak in the DefaultServlet when running with + // a security manager. The DefaultServlet needs to load an XML parser + // when running under a security manager. We want this to be loaded by + // the container rather than a web application to prevent a memory leak + // via web application class loader. + loader.loadClass(basePackage + "DefaultServlet"); + } + + private final static void loadSessionPackage(ClassLoader loader) throws Exception { String basePackage = "org.apache.catalina."; diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java index fc40047..3b951ab 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java @@ -123,8 +123,7 @@ public class DefaultServlet private static final DocumentBuilderFactory factory; - private static final SecureEntityResolver secureEntityResolver = - new SecureEntityResolver(); + private static final SecureEntityResolver secureEntityResolver; // ----------------------------------------------------- Instance Variables @@ -232,9 +231,15 @@ public class DefaultServlet urlEncoder.addSafeCharacter('*'); urlEncoder.addSafeCharacter('/'); - factory = DocumentBuilderFactory.newInstance(); - factory.setNamespaceAware(true); - factory.setValidating(false); + if (Globals.IS_SECURITY_ENABLED) { + factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setValidating(false); + secureEntityResolver = new SecureEntityResolver(); + } else { + factory = null; + secureEntityResolver = null; + } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 8681663..ffe677b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -56,6 +56,10 @@ Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. (markt) + + Only create XML parsing objects if required and fix associated potential + memory leak in the default Servlet. (markt) + -- 2.17.1 debian/patches/CVE-2016-0706.patch0000664000000000000000000000305413361171027013240 0ustar From: markt Date: Mon Jan 4 08:56:04 2016 UTC (2 years, 9 months ago) Description: Add the StatusManagerServlet to the list of Servlets that can only be loaded by privileged applications. This is the fix for CVE-2016-0706 --- java/org/apache/catalina/core/RestrictedServlets.properties | 1 + webapps/docs/changelog.xml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/java/org/apache/catalina/core/RestrictedServlets.properties b/java/org/apache/catalina/core/RestrictedServlets.properties index 17a6807..3fe2095 100644 --- a/java/org/apache/catalina/core/RestrictedServlets.properties +++ b/java/org/apache/catalina/core/RestrictedServlets.properties @@ -17,3 +17,4 @@ org.apache.catalina.ssi.SSIServlet=restricted org.apache.catalina.servlets.CGIServlet=restricted org.apache.catalina.servlets.InvokerServlet=restricted org.apache.catalina.manager.JMXProxyServlet=restricted +org.apache.catalina.manager.StatusManagerServlet=restricted diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index d211f53..2503648 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -79,6 +79,10 @@ mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. (markt) + + Add the StatusManagerServlet to the list of Servlets that + can only be loaded by privileged applications. (markt) + -- 2.17.1 debian/patches/CVE-2015-5345-2.patch0000664000000000000000000002113313361166224013403 0ustar From: markt Date: Mon Nov 30 09:35:25 2015 UTC (2 years, 10 months ago) Description: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58660 With mapperContextRootRedirectEnabled ste to false, the redirect needs to be handled elsewhere. - Ensure the Mapper does not add the '/' handling the redirect - Handle the redirect in the DefaultServlet - Add a redirect to FORM auth if auth is occurring at the context root else the login page could be submitted to the wrong web application This is part 2 of 2 of the fix for CVE-2015-5345 --- .../authenticator/FormAuthenticator.java | 14 ++++++++ .../catalina/servlets/DefaultServlet.java | 35 +++++++++++++------ .../catalina/servlets/WebdavServlet.java | 5 +++ .../tomcat/util/http/mapper/Mapper.java | 21 ++++++----- 4 files changed, 54 insertions(+), 21 deletions(-) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index b42a81b..1ab97a4 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -232,6 +232,20 @@ public class FormAuthenticator // No -- Save this request and redirect to the form login page if (!loginAction) { + // If this request was to the root of the context without a trailing + // '/', need to redirect to add it else the submit of the login form + // may not go to the correct web application + if (request.getServletPath().length() == 0 && request.getPathInfo() == null) { + StringBuilder location = new StringBuilder(requestURI); + location.append('/'); + if (request.getQueryString() != null) { + location.append('?'); + location.append(request.getQueryString()); + } + response.sendRedirect(response.encodeRedirectURL(location.toString())); + return false; + } + session = request.getSessionInternal(true); if (log.isDebugEnabled()) log.debug("Save request in session '" + session.getIdInternal() + "'"); diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java index 878f8e2..a648ee3 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java @@ -355,6 +355,10 @@ public class DefaultServlet * @param request The servlet request we are processing */ protected String getRelativePath(HttpServletRequest request) { + return getRelativePath(request, false); + } + + protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) { // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always // serves resources from the web app root with context rooted paths. // i.e. it can not be used to mount the web app root under a sub-path @@ -372,7 +376,7 @@ public class DefaultServlet result = (String) request.getAttribute( Globals.INCLUDE_SERVLET_PATH_ATTR) + result; } - if ((result == null) || (result.equals(""))) { + if ((result == null) || (result.equals("") && !allowEmptyPath)) { result = "/"; } return (result); @@ -385,7 +389,7 @@ public class DefaultServlet } else { result = request.getServletPath() + result; } - if ((result == null) || (result.equals(""))) { + if ((result == null) || (result.equals("") && !allowEmptyPath)) { result = "/"; } return (result); @@ -752,7 +756,8 @@ public class DefaultServlet throws IOException, ServletException { // Identify the requested resource path - String path = getRelativePath(request); + String path = getRelativePath(request, true); + if (debug > 0) { if (content) log("DefaultServlet.serveResource: Serving resource '" + @@ -762,6 +767,12 @@ public class DefaultServlet path + "' headers only"); } + if (path.length() == 0) { + // Context root redirect + doDirectoryRedirect(request, response); + return; + } + CacheEntry cacheEntry = resources.lookupCache(path); if (!cacheEntry.exists) { @@ -837,13 +848,7 @@ public class DefaultServlet if (cacheEntry.context != null) { if (!path.endsWith("/")) { - StringBuilder location = new StringBuilder(request.getRequestURI()); - location.append('/'); - if (request.getQueryString() != null) { - location.append('?'); - location.append(request.getQueryString()); - } - response.sendRedirect(response.encodeRedirectURL(location.toString())); + doDirectoryRedirect(request, response); return; } @@ -1028,6 +1033,16 @@ public class DefaultServlet } + private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response) + throws IOException { + StringBuilder location = new StringBuilder(request.getRequestURI()); + location.append('/'); + if (request.getQueryString() != null) { + location.append('?'); + location.append(request.getQueryString()); + } + response.sendRedirect(response.encodeRedirectURL(location.toString())); + } /** * Parse the content-range header. diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java index 1df8584..c8e479c 100644 --- a/java/org/apache/catalina/servlets/WebdavServlet.java +++ b/java/org/apache/catalina/servlets/WebdavServlet.java @@ -424,6 +424,11 @@ public class WebdavServlet * @param request The servlet request we are processing */ protected String getRelativePath(HttpServletRequest request) { + return getRelativePath(request, false); + } + + @Override + protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) { // Are we being processed by a RequestDispatcher.include()? if (request.getAttribute(Globals.INCLUDE_REQUEST_URI_ATTR) != null) { String result = (String) request.getAttribute( diff --git a/java/org/apache/tomcat/util/http/mapper/Mapper.java b/java/org/apache/tomcat/util/http/mapper/Mapper.java index f08931c..8d4a7b9 100644 --- a/java/org/apache/tomcat/util/http/mapper/Mapper.java +++ b/java/org/apache/tomcat/util/http/mapper/Mapper.java @@ -698,20 +698,13 @@ public final class Mapper { int pathOffset = path.getOffset(); int pathEnd = path.getEnd(); - int servletPath = pathOffset; boolean noServletPath = false; int length = context.name.length(); - if (length != (pathEnd - pathOffset)) { - servletPath = pathOffset + length; - } else { + if (length == (pathEnd - pathOffset)) { noServletPath = true; - path.append('/'); - pathOffset = path.getOffset(); - pathEnd = path.getEnd(); - servletPath = pathOffset+length; } - + int servletPath = pathOffset + length; path.setOffset(servletPath); // Rule 1 -- Exact Match @@ -749,8 +742,10 @@ public final class Mapper { if(mappingData.wrapper == null && noServletPath && context.mapperContextRootRedirectEnabled) { // The path is empty, redirect to "/" + path.append('/'); + pathEnd = path.getEnd(); mappingData.redirectPath.setChars - (path.getBuffer(), pathOffset, pathEnd-pathOffset); + (path.getBuffer(), pathOffset, pathEnd - pathOffset); path.setEnd(pathEnd - 1); return; } @@ -840,7 +835,11 @@ public final class Mapper { Object file = null; String pathStr = path.toString(); try { - file = context.resources.lookup(pathStr); + if (pathStr.length() == 0) { + file = context.resources.lookup("/"); + } else { + file = context.resources.lookup(pathStr); + } } catch(NamingException nex) { // Swallow, since someone else handles the 404 } -- 2.17.1 debian/patches/CVE-2015-5351-1.patch0000664000000000000000000000367013361170263013403 0ustar From: markt Date: Thu Dec 17 21:19:38 2015 UTC (2 years, 9 months ago) Description: Don't create sessions unnecessarily in the Manager application. This is part 1 of 2 of the fix for CVE-2015-5351 --- webapps/docs/changelog.xml | 3 +++ webapps/manager/WEB-INF/jsp/401.jsp | 3 ++- webapps/manager/WEB-INF/jsp/403.jsp | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 3edd1a1..c4658ab 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -145,6 +145,9 @@ unpacking utilities can't handle multiple copies of a file with the same name in a directory. (kkolinko) + + Don't create sessions unnecessarily in the Manager application. (markt) + diff --git a/webapps/manager/WEB-INF/jsp/401.jsp b/webapps/manager/WEB-INF/jsp/401.jsp index ff9aefa..482ec75 100644 --- a/webapps/manager/WEB-INF/jsp/401.jsp +++ b/webapps/manager/WEB-INF/jsp/401.jsp @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. --%> +<%@ page session="false" trimDirectiveWhitespaces="true" %> @@ -78,4 +79,4 @@

- \ No newline at end of file + diff --git a/webapps/manager/WEB-INF/jsp/403.jsp b/webapps/manager/WEB-INF/jsp/403.jsp index ebd81de..3f4da77 100644 --- a/webapps/manager/WEB-INF/jsp/403.jsp +++ b/webapps/manager/WEB-INF/jsp/403.jsp @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. --%> +<%@ page session="false" trimDirectiveWhitespaces="true" %> -- 2.17.1 debian/patches/0001-set-UTF-8-as-default-character-encoding.patch0000664000000000000000000000112512300245614021347 0ustar From: Thomas Koch Date: Mon, 28 Jun 2010 21:32:15 +0200 Subject: [PATCH] set UTF-8 as default character encoding --- conf/server.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/conf/server.xml b/conf/server.xml index 30673f6..03894e7 100644 --- a/conf/server.xml +++ b/conf/server.xml @@ -68,6 +68,7 @@ --> + -- debian/patches/0004-split-deploy-webapps-target-from-deploy-target.patch0000664000000000000000000000240412300245614023305 0ustar From: Debian Java Maintainers Date: Mon, 28 Jun 2010 21:32:35 +0200 Subject: [PATCH] split deploy-webapps target from deploy target --- build.xml | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) --- a/build.xml +++ b/build.xml @@ -491,7 +491,7 @@ building a tomcat release. - + @@ -528,6 +528,13 @@ + + + + + + + @@ -652,10 +659,6 @@ - - - * Added wrapping for Throwables to avoid ClassCastException: see Bugzilla * 31171 for details. - * + * * @return The Exception associated with this page context, if any. */ public Exception getException() { @@ -872,7 +872,7 @@ public class PageContextImpl extends PageContext { * go away once the EL interpreter moves out of JSTL and into its own * project. For now, this is necessary because the standard machinery is too * slow. - * + * * @param expression * The expression to be evaluated * @param expectedType @@ -884,39 +884,14 @@ public class PageContextImpl extends PageContext { * @return The result of the evaluation */ public static Object proprietaryEvaluate(final String expression, - final Class expectedType, final PageContext pageContext, + final Class expectedType, final PageContext pageContext, final ProtectedFunctionMapper functionMap, final boolean escape) throws ELException { - Object retValue; final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory(); - if (SecurityUtil.isPackageProtectionEnabled()) { - try { - retValue = AccessController - .doPrivileged(new PrivilegedExceptionAction() { - - public Object run() throws Exception { - ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); - ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); - ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); - return ve.getValue(ctx); - } - }); - } catch (PrivilegedActionException ex) { - Exception realEx = ex.getException(); - if (realEx instanceof ELException) { - throw (ELException) realEx; - } else { - throw new ELException(realEx); - } - } - } else { - ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); - ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); - ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); - retValue = ve.getValue(ctx); - } - - return retValue; + ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); + ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); + ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); + return ve.getValue(ctx); } public ELContext getELContext() { diff --git a/java/org/apache/jasper/security/SecurityClassLoad.java b/java/org/apache/jasper/security/SecurityClassLoad.java index a021fab..80850ea 100644 --- a/java/org/apache/jasper/security/SecurityClassLoad.java +++ b/java/org/apache/jasper/security/SecurityClassLoad.java @@ -93,8 +93,6 @@ public final class SecurityClassLoad { "runtime.PageContextImpl$11"); loader.loadClass( basePackage + "runtime.PageContextImpl$12"); - loader.loadClass( basePackage + - "runtime.PageContextImpl$13"); loader.loadClass( basePackage + "runtime.JspContextWrapper"); -- 2.17.1 debian/patches/CVE-2015-5345-1.patch0000664000000000000000000004635113361166074013416 0ustar From: markt Date: Thu Nov 19 17:06:54 2015 UTC (2 years, 10 months ago) Description: Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. This is part 1 of 2 of the fix for CVE-2015-5345 --- java/org/apache/catalina/Context.java | 41 ++++- .../catalina/connector/MapperListener.java | 9 +- .../apache/catalina/core/StandardContext.java | 34 ++++ .../catalina/core/mbeans-descriptors.xml | 8 + .../catalina/servlets/DefaultServlet.java | 11 ++ .../tomcat/util/http/mapper/Mapper.java | 150 ++++-------------- webapps/docs/changelog.xml | 10 ++ webapps/docs/config/context.xml | 16 ++ 8 files changed, 153 insertions(+), 126 deletions(-) diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java index eb61f21..812f26d 100644 --- a/java/org/apache/catalina/Context.java +++ b/java/org/apache/catalina/Context.java @@ -1192,5 +1192,44 @@ public interface Context extends Container { * @param listener Class name of a ContainerListener class to be removed */ public void removeWrapperListener(String listener); -} + /** + * If enabled, requests for a web application context root will be + * redirected (adding a trailing slash) by the Mapper. This is more + * efficient but has the side effect of confirming that the context path is + * valid. + * + * @param mapperContextRootRedirectEnabled Should the redirects be enabled? + */ + public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled); + + /** + * Determines if requests for a web application context root will be + * redirected (adding a trailing slash) by the Mapper. This is more + * efficient but has the side effect of confirming that the context path is + * valid. + * + * @return {@code true} if the Mapper level redirect is enabled for this + * Context. + */ + public boolean getMapperContextRootRedirectEnabled(); + + /** + * If enabled, requests for a directory will be redirected (adding a + * trailing slash) by the Mapper. This is more efficient but has the + * side effect of confirming that the directory is valid. + * + * @param mapperDirectoryRedirectEnabled Should the redirects be enabled? + */ + public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled); + + /** + * Determines if requests for a directory will be redirected (adding a + * trailing slash) by the Mapper. This is more efficient but has the + * side effect of confirming that the directory is valid. + * + * @return {@code true} if the Mapper level redirect is enabled for this + * Context. + */ + public boolean getMapperDirectoryRedirectEnabled(); +} diff --git a/java/org/apache/catalina/connector/MapperListener.java b/java/org/apache/catalina/connector/MapperListener.java index 593a054..850bb86 100644 --- a/java/org/apache/catalina/connector/MapperListener.java +++ b/java/org/apache/catalina/connector/MapperListener.java @@ -28,6 +28,7 @@ import javax.management.ObjectName; import org.apache.catalina.ContainerEvent; import org.apache.catalina.ContainerListener; +import org.apache.catalina.Context; import org.apache.catalina.Host; import org.apache.catalina.core.StandardContext; import org.apache.juli.logging.Log; @@ -415,8 +416,7 @@ public class MapperListener log.debug(sm.getString ("mapperListener.registerContext", contextName)); - Object context = - mBeanServer.invoke(objectName, "findMappingObject", null, null); + Context context = (Context) mBeanServer.invoke(objectName, "findMappingObject", null, null); //mBeanServer.getAttribute(objectName, "mappingObject"); javax.naming.Context resources = (javax.naming.Context) mBeanServer.invoke(objectName, "findStaticResources", null, null); @@ -424,8 +424,9 @@ public class MapperListener String[] welcomeFiles = (String[]) mBeanServer.getAttribute(objectName, "welcomeFiles"); - mapper.addContext(hostName, contextName, context, - welcomeFiles, resources); + mapper.addContext(hostName, contextName, context, welcomeFiles, resources, + context.getMapperContextRootRedirectEnabled(), + context.getMapperDirectoryRedirectEnabled()); } diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java index e59fbf0..29caed5 100644 --- a/java/org/apache/catalina/core/StandardContext.java +++ b/java/org/apache/catalina/core/StandardContext.java @@ -779,9 +779,43 @@ public class StandardContext */ private boolean clearReferencesThreadLocals = false; + boolean mapperContextRootRedirectEnabled = true; + + boolean mapperDirectoryRedirectEnabled = false; + + // ----------------------------------------------------- Context Properties + + public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) { + this.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled; + } + + + /** + * {@inheritDoc} + *

+ * The default value for this implementation is {@code false}. + */ + public boolean getMapperContextRootRedirectEnabled() { + return mapperContextRootRedirectEnabled; + } + + + public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) { + this.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled; + } + + /** + * {@inheritDoc} + *

+ * The default value for this implementation is {@code false}. + */ + public boolean getMapperDirectoryRedirectEnabled() { + return mapperDirectoryRedirectEnabled; + } + public AnnotationProcessor getAnnotationProcessor() { return annotationProcessor; } diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml index ee8103f..5797c9b 100644 --- a/java/org/apache/catalina/core/mbeans-descriptors.xml +++ b/java/org/apache/catalina/core/mbeans-descriptors.xml @@ -177,6 +177,14 @@ description="The object used for mapping" type="java.lang.Object"/> + + + + diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java index 1f8d2b6..878f8e2 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java @@ -836,6 +836,17 @@ public class DefaultServlet if (cacheEntry.context != null) { + if (!path.endsWith("/")) { + StringBuilder location = new StringBuilder(request.getRequestURI()); + location.append('/'); + if (request.getQueryString() != null) { + location.append('?'); + location.append(request.getQueryString()); + } + response.sendRedirect(response.encodeRedirectURL(location.toString())); + return; + } + // Skip directory listings if we have been configured to // suppress them if (!listings) { diff --git a/java/org/apache/tomcat/util/http/mapper/Mapper.java b/java/org/apache/tomcat/util/http/mapper/Mapper.java index 9c3b660..f08931c 100644 --- a/java/org/apache/tomcat/util/http/mapper/Mapper.java +++ b/java/org/apache/tomcat/util/http/mapper/Mapper.java @@ -208,11 +208,29 @@ public final class Mapper { * @param context Context object * @param welcomeResources Welcome files defined for this context * @param resources Static resources of the context + * @deprecated Use {@link #addContext(String, String, Object, String[], + * javax.naming.Context, boolean, boolean)} */ - public void addContext - (String hostName, String path, Object context, - String[] welcomeResources, javax.naming.Context resources) { + @Deprecated + public void addContext(String hostName, String path, Object context, + String[] welcomeResources, javax.naming.Context resources) { + addContext(hostName, path, context, welcomeResources, resources, false, false); + } + /** + * Add a new Context to an existing Host. + * + * @param hostName Virtual host name this context belongs to + * @param path Context path + * @param context Context object + * @param welcomeResources Welcome files defined for this context + * @param resources Static resources of the context + * @param mapperContextRootRedirectEnabled Mapper does context root redirects + * @param mapperDirectoryRedirectEnabled Mapper does directory redirects + */ + public void addContext(String hostName, String path, Object context, String[] welcomeResources, + javax.naming.Context resources, boolean mapperContextRootRedirectEnabled, + boolean mapperDirectoryRedirectEnabled) { Host[] hosts = this.hosts; int pos = find(hosts, hostName); if( pos <0 ) { @@ -241,9 +259,10 @@ public final class Mapper { if (insertMap(contexts, newContexts, newContext)) { host.contextList.contexts = newContexts; } + newContext.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled; + newContext.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled; } } - } @@ -727,7 +746,8 @@ public final class Mapper { } } - if(mappingData.wrapper == null && noServletPath) { + if(mappingData.wrapper == null && noServletPath && + context.mapperContextRootRedirectEnabled) { // The path is empty, redirect to "/" mappingData.redirectPath.setChars (path.getBuffer(), pathOffset, pathEnd-pathOffset); @@ -824,7 +844,8 @@ public final class Mapper { } catch(NamingException nex) { // Swallow, since someone else handles the 404 } - if (file != null && file instanceof DirContext) { + if (file != null && file instanceof DirContext && + context.mapperDirectoryRedirectEnabled) { // Note: this mutates the path: do not do any processing // after this (since we set the redirectPath, there // shouldn't be any) @@ -841,7 +862,6 @@ public final class Mapper { path.setOffset(pathOffset); path.setEnd(pathEnd); - } @@ -1309,7 +1329,8 @@ public final class Mapper { public Wrapper[] wildcardWrappers = new Wrapper[0]; public Wrapper[] extensionWrappers = new Wrapper[0]; public int nesting = 0; - + public boolean mapperContextRootRedirectEnabled = false; + public boolean mapperDirectoryRedirectEnabled = false; } @@ -1322,117 +1343,4 @@ public final class Mapper { public String path = null; public boolean jspWildCard = false; } - - - // -------------------------------------------------------- Testing Methods - - // FIXME: Externalize this - /* - public static void main(String args[]) { - - try { - - Mapper mapper = new Mapper(); - System.out.println("Start"); - - mapper.addHost("sjbjdvwsbvhrb", new String[0], "blah1"); - mapper.addHost("sjbjdvwsbvhr/", new String[0], "blah1"); - mapper.addHost("wekhfewuifweuibf", new String[0], "blah2"); - mapper.addHost("ylwrehirkuewh", new String[0], "blah3"); - mapper.addHost("iohgeoihro", new String[0], "blah4"); - mapper.addHost("fwehoihoihwfeo", new String[0], "blah5"); - mapper.addHost("owefojiwefoi", new String[0], "blah6"); - mapper.addHost("iowejoiejfoiew", new String[0], "blah7"); - mapper.addHost("iowejoiejfoiew", new String[0], "blah17"); - mapper.addHost("ohewoihfewoih", new String[0], "blah8"); - mapper.addHost("fewohfoweoih", new String[0], "blah9"); - mapper.addHost("ttthtiuhwoih", new String[0], "blah10"); - mapper.addHost("lkwefjwojweffewoih", new String[0], "blah11"); - mapper.addHost("zzzuyopjvewpovewjhfewoih", new String[0], "blah12"); - mapper.addHost("xxxxgqwiwoih", new String[0], "blah13"); - mapper.addHost("qwigqwiwoih", new String[0], "blah14"); - - System.out.println("Map:"); - for (int i = 0; i < mapper.hosts.length; i++) { - System.out.println(mapper.hosts[i].name); - } - - mapper.setDefaultHostName("ylwrehirkuewh"); - - String[] welcomes = new String[2]; - welcomes[0] = "boo/baba"; - welcomes[1] = "bobou"; - - mapper.addContext("iowejoiejfoiew", "", "context0", new String[0], null); - mapper.addContext("iowejoiejfoiew", "/foo", "context1", new String[0], null); - mapper.addContext("iowejoiejfoiew", "/foo/bar", "context2", welcomes, null); - mapper.addContext("iowejoiejfoiew", "/foo/bar/bla", "context3", new String[0], null); - - mapper.addWrapper("iowejoiejfoiew", "/foo/bar", "/fo/*", "wrapper0"); - mapper.addWrapper("iowejoiejfoiew", "/foo/bar", "/", "wrapper1"); - mapper.addWrapper("iowejoiejfoiew", "/foo/bar", "/blh", "wrapper2"); - mapper.addWrapper("iowejoiejfoiew", "/foo/bar", "*.jsp", "wrapper3"); - mapper.addWrapper("iowejoiejfoiew", "/foo/bar", "/blah/bou/*", "wrapper4"); - mapper.addWrapper("iowejoiejfoiew", "/foo/bar", "/blah/bobou/*", "wrapper5"); - mapper.addWrapper("iowejoiejfoiew", "/foo/bar", "*.htm", "wrapper6"); - - MappingData mappingData = new MappingData(); - MessageBytes host = MessageBytes.newInstance(); - host.setString("iowejoiejfoiew"); - MessageBytes uri = MessageBytes.newInstance(); - uri.setString("/foo/bar/blah/bobou/foo"); - uri.toChars(); - uri.getCharChunk().setLimit(-1); - - mapper.map(host, uri, mappingData); - System.out.println("MD Host:" + mappingData.host); - System.out.println("MD Context:" + mappingData.context); - System.out.println("MD Wrapper:" + mappingData.wrapper); - - System.out.println("contextPath:" + mappingData.contextPath); - System.out.println("wrapperPath:" + mappingData.wrapperPath); - System.out.println("pathInfo:" + mappingData.pathInfo); - System.out.println("redirectPath:" + mappingData.redirectPath); - - mappingData.recycle(); - mapper.map(host, uri, mappingData); - System.out.println("MD Host:" + mappingData.host); - System.out.println("MD Context:" + mappingData.context); - System.out.println("MD Wrapper:" + mappingData.wrapper); - - System.out.println("contextPath:" + mappingData.contextPath); - System.out.println("wrapperPath:" + mappingData.wrapperPath); - System.out.println("pathInfo:" + mappingData.pathInfo); - System.out.println("redirectPath:" + mappingData.redirectPath); - - for (int i = 0; i < 1000000; i++) { - mappingData.recycle(); - mapper.map(host, uri, mappingData); - } - - long time = System.currentTimeMillis(); - for (int i = 0; i < 1000000; i++) { - mappingData.recycle(); - mapper.map(host, uri, mappingData); - } - System.out.println("Elapsed:" + (System.currentTimeMillis() - time)); - - System.out.println("MD Host:" + mappingData.host); - System.out.println("MD Context:" + mappingData.context); - System.out.println("MD Wrapper:" + mappingData.wrapper); - - System.out.println("contextPath:" + mappingData.contextPath); - System.out.println("wrapperPath:" + mappingData.wrapperPath); - System.out.println("requestPath:" + mappingData.requestPath); - System.out.println("pathInfo:" + mappingData.pathInfo); - System.out.println("redirectPath:" + mappingData.redirectPath); - - } catch (Exception e) { - e.printStackTrace(); - } - - } - */ - - } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 5bd0a91..3edd1a1 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -69,6 +69,16 @@ additional locations where, theoretically, a memory leak could occur. (markt) + + Move the functionality that provides redirects for context roots and + directories where a trailing / is added from the Mapper to + the DefaultServlet. This enables such requests to be + processed by any configured Valves and Filters before the redirect is + made. This behaviour is configurable via the + mapperContextRootRedirectEnabled and + mapperDirectoryRedirectEnabled attributes of the Context + which may be used to restore the previous behaviour. (markt) + diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml index 4fc83ea..6b62dde 100644 --- a/webapps/docs/config/context.xml +++ b/webapps/docs/config/context.xml @@ -285,6 +285,22 @@ class loaders.

+ +

If enabled, requests for a web application context root will be + redirected (adding a trailing slash) if necessary by the Mapper rather + than the default Servlet. This is more efficient but has the side effect + of confirming that the context path exists. If not specified, the + default value of true is used.

+
+ + +

If enabled, requests for a web application directory will be + redirected (adding a trailing slash) if necessary by the Mapper rather + than the default Servlet. This is more efficient but has the side effect + of confirming that the directory is exists. If not specified, the + default value of false is used.

+
+

The context path of this web application, which is matched against the beginning of each request URI to select the -- 2.17.1 debian/patches/CVE-2014-0227.patch0000664000000000000000000003566313361135212013243 0ustar From: markt Date: Wed Jun 18 20:55:20 2014 UTC (4 years, 3 months ago) Description: Improvements to ChunkedInputFilter - Clean-up - i18n for ChunkedInputFilter error message - Add error flag to allow subsequent attempts at reading after an error to fail fast This is the fix for CVE-2014-0227 --- .../http11/filters/ChunkedInputFilter.java | 123 ++++++++++-------- .../http11/filters/LocalStrings.properties | 25 ++++ webapps/docs/changelog.xml | 5 + 3 files changed, 102 insertions(+), 51 deletions(-) create mode 100644 java/org/apache/coyote/http11/filters/LocalStrings.properties diff --git a/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java b/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java index 6044404..dc31897 100644 --- a/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java +++ b/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java @@ -29,6 +29,7 @@ import org.apache.coyote.http11.Constants; import org.apache.coyote.http11.InputFilter; import org.apache.tomcat.util.buf.MessageBytes; import org.apache.tomcat.util.http.MimeHeaders; +import org.apache.tomcat.util.res.StringManager; /** * Chunked input filter. Parses chunked data according to @@ -39,9 +40,11 @@ import org.apache.tomcat.util.http.MimeHeaders; */ public class ChunkedInputFilter implements InputFilter { + private static final StringManager sm = StringManager.getManager( + ChunkedInputFilter.class.getPackage().getName()); - // -------------------------------------------------------------- Constants + // -------------------------------------------------------------- Constants protected static final String ENCODING_NAME = "chunked"; protected static final ByteChunk ENCODING = new ByteChunk(); @@ -49,7 +52,6 @@ public class ChunkedInputFilter implements InputFilter { // ----------------------------------------------------- Static Initializer - static { ENCODING.setBytes(ENCODING_NAME.getBytes(), 0, ENCODING_NAME.length()); } @@ -57,7 +59,6 @@ public class ChunkedInputFilter implements InputFilter { // ----------------------------------------------------- Instance Variables - /** * Next buffer in the pipeline. */ @@ -119,6 +120,11 @@ public class ChunkedInputFilter implements InputFilter { private long extensionSize; + /** + * Flag that indicates if an error has occurred. + */ + private boolean error; + /** * Flag set to true if the next call to doRead() must parse a CRLF pair * before doing anything else. @@ -130,13 +136,10 @@ public class ChunkedInputFilter implements InputFilter { * Request being parsed. */ private Request request; - - // ------------------------------------------------------------- Properties // ---------------------------------------------------- InputBuffer Methods - /** * Read bytes. * @@ -146,11 +149,12 @@ public class ChunkedInputFilter implements InputFilter { * whichever is greater. If the filter does not do request body length * control, the returned value should be -1. */ - public int doRead(ByteChunk chunk, Request req) - throws IOException { - - if (endChunk) + public int doRead(ByteChunk chunk, Request req) throws IOException { + if (endChunk) { return -1; + } + + checkError(); if(needCRLFParse) { needCRLFParse = false; @@ -159,7 +163,7 @@ public class ChunkedInputFilter implements InputFilter { if (remaining <= 0) { if (!parseChunkHeader()) { - throw new IOException("Invalid chunk header"); + throwIOException(sm.getString("chunkedInputFilter.invalidHeader")); } if (endChunk) { parseEndChunk(); @@ -171,8 +175,7 @@ public class ChunkedInputFilter implements InputFilter { if (pos >= lastValid) { if (readBytes() < 0) { - throw new IOException( - "Unexpected end of stream whilst reading request body"); + throwIOException(sm.getString("chunkedInputFilter.eos")); } } @@ -197,13 +200,11 @@ public class ChunkedInputFilter implements InputFilter { } return result; - } // ---------------------------------------------------- InputFilter Methods - /** * Read the content length from the request. */ @@ -215,16 +216,13 @@ public class ChunkedInputFilter implements InputFilter { /** * End the current request. */ - public long end() - throws IOException { - + public long end() throws IOException { // Consume extra bytes : parse the stream until the end chunk is found while (doRead(readChunk, null) >= 0) { } // Return the number of extra bytes which were consumed - return (lastValid - pos); - + return lastValid - pos; } @@ -232,7 +230,7 @@ public class ChunkedInputFilter implements InputFilter { * Amount of bytes still available in a buffer. */ public int available() { - return (lastValid - pos); + return lastValid - pos; } @@ -258,6 +256,7 @@ public class ChunkedInputFilter implements InputFilter { trailingHeaders.setLimit(org.apache.coyote.Constants.MAX_TRAILER_SIZE); } extensionSize = 0; + error = false; } @@ -276,8 +275,7 @@ public class ChunkedInputFilter implements InputFilter { /** * Read bytes from the previous buffer. */ - protected int readBytes() - throws IOException { + protected int readBytes() throws IOException { int nRead = buffer.doRead(readChunk, null); pos = readChunk.getStart(); @@ -285,7 +283,6 @@ public class ChunkedInputFilter implements InputFilter { buf = readChunk.getBytes(); return nRead; - } @@ -298,8 +295,7 @@ public class ChunkedInputFilter implements InputFilter { * we should not parse F23IAMGONNAMESSTHISUP34CRLF as a valid header * according to spec */ - protected boolean parseChunkHeader() - throws IOException { + protected boolean parseChunkHeader() throws IOException { int result = 0; boolean eol = false; @@ -340,7 +336,7 @@ public class ChunkedInputFilter implements InputFilter { extensionSize++; if (org.apache.coyote.Constants.MAX_EXTENSION_SIZE > -1 && extensionSize > org.apache.coyote.Constants.MAX_EXTENSION_SIZE) { - throw new IOException("maxExtensionSize exceeded"); + throwIOException(sm.getString("chunkedInputFilter.maxExtension")); } } @@ -348,21 +344,22 @@ public class ChunkedInputFilter implements InputFilter { if (!eol) { pos++; } - } - if (readDigit == 0 || result < 0) + if (readDigit == 0 || result < 0) { return false; + } - if (result == 0) + if (result == 0) { endChunk = true; + } remaining = result; - if (remaining < 0) + if (remaining < 0) { return false; + } return true; - } @@ -389,26 +386,27 @@ public class ChunkedInputFilter implements InputFilter { boolean crfound = false; while (!eol) { - if (pos >= lastValid) { - if (readBytes() <= 0) - throw new IOException("Invalid CRLF"); + if (readBytes() <= 0) { + throwIOException(sm.getString("chunkedInputFilter.invalidCrlfNoData")); + } } if (buf[pos] == Constants.CR) { - if (crfound) throw new IOException("Invalid CRLF, two CR characters encountered."); + if (crfound) { + throwIOException(sm.getString("chunkedInputFilter.invalidCrlfCRCR")); + } crfound = true; } else if (buf[pos] == Constants.LF) { if (!tolerant && !crfound) { - throw new IOException("Invalid CRLF, no CR character encountered."); + throwIOException(sm.getString("chunkedInputFilter.invalidCrlfNoCR")); } eol = true; } else { - throw new IOException("Invalid CRLF"); + throwIOException(sm.getString("chunkedInputFilter.invalidCrlf")); } pos++; - } } @@ -417,7 +415,6 @@ public class ChunkedInputFilter implements InputFilter { * Parse end chunk data. */ protected boolean parseEndChunk() throws IOException { - // Handle optional trailer headers while (parseHeader()) { // Loop until we run out of headers @@ -434,8 +431,9 @@ public class ChunkedInputFilter implements InputFilter { // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -459,8 +457,9 @@ public class ChunkedInputFilter implements InputFilter { // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -500,8 +499,9 @@ public class ChunkedInputFilter implements InputFilter { // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -512,7 +512,7 @@ public class ChunkedInputFilter implements InputFilter { if (trailingHeaders.getLimit() != -1) { int newlimit = trailingHeaders.getLimit() -1; if (trailingHeaders.getEnd() > newlimit) { - throw new IOException("Exceeded maxTrailerSize"); + throwIOException(sm.getString("chunkedInputFilter.maxTrailer")); } trailingHeaders.setLimit(newlimit); } @@ -527,8 +527,9 @@ public class ChunkedInputFilter implements InputFilter { // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -552,8 +553,9 @@ public class ChunkedInputFilter implements InputFilter { // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -574,4 +576,23 @@ public class ChunkedInputFilter implements InputFilter { return true; } + + + private void throwIOException(String msg) throws IOException { + error = true; + throw new IOException(msg); + } + + + private void throwEOFException(String msg) throws IOException { + error = true; + throw new EOFException(msg); + } + + + private void checkError() throws IOException { + if (error) { + throw new IOException(sm.getString("chunkedInputFilter.error")); + } + } } diff --git a/java/org/apache/coyote/http11/filters/LocalStrings.properties b/java/org/apache/coyote/http11/filters/LocalStrings.properties new file mode 100644 index 0000000..5f858f9 --- /dev/null +++ b/java/org/apache/coyote/http11/filters/LocalStrings.properties @@ -0,0 +1,25 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +chunkedInputFilter.error=No data available due to previous error +chunkedInputFilter.eos=Unexpected end of stream while reading request body +chunkedInputFilter.eosTrailer=Unexpected end of stream while reading trailer headers +chunkedInputFilter.invalidCrlf=Invalid end of line sequence (character other than CR or LF found) +chunkedInputFilter.invalidCrlfCRCR=Invalid end of line sequence (CRCR) +chunkedInputFilter.invalidCrlfNoCR=Invalid end of line sequence (No CR before LF) +chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read) +chunkedInputFilter.invalidHeader=Invalid chunk header +chunkedInputFilter.maxExtension=maxExtensionSize exceeded +chunkedInputFilter.maxTrailer=maxTrailerSize exceeded diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 214d787..d00853e 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -90,6 +90,11 @@ Fix possible overflow when parsing long values from a byte array. (markt) + + Various improvements to ChunkedInputFilter including clean-up, i18n for + error messages and adding an error flag to allow subsequent attempts at + reading after an error to fail fast. (markt) + -- 2.17.1 debian/patches/CVE-2014-0096.patch0000664000000000000000000005753013357742732013264 0ustar From: markt Date: Tue Apr 8 22:19:46 2014 UTC (4 years, 6 months ago) Description: Redefine the globalXsltFile initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. This is the fix for CVE-2014-0096 --- conf/web.xml | 10 +- .../catalina/servlets/DefaultServlet.java | 252 ++++++++++++++---- .../catalina/servlets/LocalStrings.properties | 3 + webapps/docs/changelog.xml | 6 + webapps/docs/default-servlet.xml | 31 ++- 5 files changed, 225 insertions(+), 77 deletions(-) diff --git a/conf/web.xml b/conf/web.xml index a3acebf..aae2878 100644 --- a/conf/web.xml +++ b/conf/web.xml @@ -87,10 +87,12 @@ - - - - + + + + + + default diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java index 547f73c..fc40047 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java @@ -14,8 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - - package org.apache.catalina.servlets; @@ -35,6 +33,7 @@ import java.io.StringReader; import java.io.StringWriter; import java.util.ArrayList; import java.util.Iterator; +import java.util.Locale; import java.util.StringTokenizer; import javax.naming.InitialContext; @@ -48,10 +47,14 @@ import javax.servlet.UnavailableException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; +import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; @@ -65,6 +68,10 @@ import org.apache.naming.resources.CacheEntry; import org.apache.naming.resources.ProxyDirContext; import org.apache.naming.resources.Resource; import org.apache.naming.resources.ResourceAttributes; +import org.w3c.dom.Document; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; +import org.xml.sax.ext.EntityResolver2; /** @@ -104,7 +111,7 @@ import org.apache.naming.resources.ResourceAttributes; * *

* Then a request to /context/static/images/tomcat.jpg will succeed - * while a request to /context/images/tomcat2.jpg will fail. + * while a request to /context/images/tomcat2.jpg will fail. *

* @author Craig R. McClanahan * @author Remy Maucherat @@ -113,9 +120,14 @@ import org.apache.naming.resources.ResourceAttributes; public class DefaultServlet extends HttpServlet { - - // ----------------------------------------------------- Instance Variables + private static final DocumentBuilderFactory factory; + + private static final SecureEntityResolver secureEntityResolver = + new SecureEntityResolver(); + + + // ----------------------------------------------------- Instance Variables /** * The debugging detail level for this servlet. @@ -163,8 +175,8 @@ public class DefaultServlet * Allow customized directory listing per context. */ protected String contextXsltFile = null; - - + + /** * Allow customized directory listing per instance. */ @@ -188,13 +200,13 @@ public class DefaultServlet * the platform default is used. */ protected String fileEncoding = null; - - + + /** * Minimum size for sendfile usage in bytes. */ protected int sendfileSize = 48 * 1024; - + /** * Should the Accept-Ranges: bytes header be send with static resources? */ @@ -204,8 +216,8 @@ public class DefaultServlet * Full range marker. */ protected static ArrayList FULL = new ArrayList(); - - + + // ----------------------------------------------------- Static Initializer @@ -219,6 +231,10 @@ public class DefaultServlet urlEncoder.addSafeCharacter('.'); urlEncoder.addSafeCharacter('*'); urlEncoder.addSafeCharacter('/'); + + factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setValidating(false); } @@ -277,7 +293,7 @@ public class DefaultServlet readOnly = Boolean.parseBoolean(getServletConfig().getInitParameter("readonly")); if (getServletConfig().getInitParameter("sendfileSize") != null) - sendfileSize = + sendfileSize = Integer.parseInt(getServletConfig().getInitParameter("sendfileSize")) * 1024; fileEncoding = getServletConfig().getInitParameter("fileEncoding"); @@ -371,7 +387,7 @@ public class DefaultServlet /** * Determines the appropriate path to prepend resources with - * when generating directory listings. Depending on the behaviour of + * when generating directory listings. Depending on the behaviour of * {@link #getRelativePath(HttpServletRequest)} this will change. * @param request the request to determine the path for * @return the prefix to apply to all resources in the listing. @@ -429,7 +445,7 @@ public class DefaultServlet * * @param resp the {@link HttpServletResponse} object that * contains the response the servlet returns - * to the client + * to the client * * @exception IOException if an input or output error occurs * while the servlet is handling the @@ -457,11 +473,11 @@ public class DefaultServlet } // Always allow options allow.append(", OPTIONS"); - + resp.setHeader("Allow", allow.toString()); } - - + + /** * Process a POST request for the specified resource. * @@ -741,7 +757,7 @@ public class DefaultServlet CacheEntry cacheEntry = resources.lookupCache(path); if (!cacheEntry.exists) { - // Check if we're included so we can return the appropriate + // Check if we're included so we can return the appropriate // missing resource name in the error String requestUri = (String) request.getAttribute( Globals.INCLUDE_REQUEST_URI_ATTR); @@ -766,7 +782,7 @@ public class DefaultServlet // ends with "/" or "\", return NOT FOUND if (cacheEntry.context == null) { if (path.endsWith("/") || (path.endsWith("\\"))) { - // Check if we're included so we can return the appropriate + // Check if we're included so we can return the appropriate // missing resource name in the error String requestUri = (String) request.getAttribute( Globals.INCLUDE_REQUEST_URI_ATTR); @@ -827,13 +843,13 @@ public class DefaultServlet // Accept ranges header response.setHeader("Accept-Ranges", "bytes"); } - + // Parse range specifier ranges = parseRange(request, response, cacheEntry.attributes); - + // ETag header response.setHeader("ETag", cacheEntry.attributes.getETag()); - + // Last-Modified header response.setHeader("Last-Modified", cacheEntry.attributes.getLastModifiedHttp()); @@ -1194,24 +1210,22 @@ public class DefaultServlet } - /** * Decide which way to render. HTML or XML. */ protected InputStream render(String contextPath, CacheEntry cacheEntry) throws IOException, ServletException { - InputStream xsltInputStream = - findXsltInputStream(cacheEntry.context); + Source xsltSource = findXsltInputStream(cacheEntry.context); - if (xsltInputStream==null) { + if (xsltSource == null) { return renderHtml(contextPath, cacheEntry); - } else { - return renderXml(contextPath, cacheEntry, xsltInputStream); } + return renderXml(contextPath, cacheEntry, xsltSource); } + /** * Return an InputStream to an HTML representation of the contents * of this directory. @@ -1221,7 +1235,7 @@ public class DefaultServlet */ protected InputStream renderXml(String contextPath, CacheEntry cacheEntry, - InputStream xsltInputStream) + Source xsltSource) throws IOException, ServletException { StringBuffer sb = new StringBuffer(); @@ -1243,7 +1257,7 @@ public class DefaultServlet // Render the directory entries within this directory NamingEnumeration enumeration = resources.list(cacheEntry.name); - + // rewriteUrl(contextPath) is expensive. cache result for later reuse String rewrittenContextPath = rewriteUrl(contextPath); @@ -1314,8 +1328,7 @@ public class DefaultServlet try { TransformerFactory tFactory = TransformerFactory.newInstance(); Source xmlSource = new StreamSource(new StringReader(sb.toString())); - Source xslSource = new StreamSource(xsltInputStream); - Transformer transformer = tFactory.newTransformer(xslSource); + Transformer transformer = tFactory.newTransformer(xsltSource); ByteArrayOutputStream stream = new ByteArrayOutputStream(); OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8"); @@ -1353,7 +1366,7 @@ public class DefaultServlet PrintWriter writer = new PrintWriter(osWriter); StringBuffer sb = new StringBuffer(); - + // rewriteUrl(contextPath) is expensive. cache result for later reuse String rewrittenContextPath = rewriteUrl(contextPath); @@ -1540,9 +1553,9 @@ public class DefaultServlet /** - * Return the xsl template inputstream (if possible) + * Return a Source for the xsl template (if possible) */ - protected InputStream findXsltInputStream(DirContext directory) + protected Source findXsltInputStream(DirContext directory) throws IOException, ServletException { if (localXsltFile != null) { @@ -1550,8 +1563,13 @@ public class DefaultServlet Object obj = directory.lookup(localXsltFile); if ((obj != null) && (obj instanceof Resource)) { InputStream is = ((Resource) obj).streamContent(); - if (is != null) - return is; + if (is != null) { + if (Globals.IS_SECURITY_ENABLED) { + return secureXslt(is); + } else { + return new StreamSource(is); + } + } } } catch (NamingException e) { if (debug > 10) @@ -1562,8 +1580,13 @@ public class DefaultServlet if (contextXsltFile != null) { InputStream is = getServletContext().getResourceAsStream(contextXsltFile); - if (is != null) - return is; + if (is != null) { + if (Globals.IS_SECURITY_ENABLED) { + return secureXslt(is); + } else { + return new StreamSource(is); + } + } if (debug > 10) log("contextXsltFile '" + contextXsltFile + "' not found"); @@ -1572,20 +1595,26 @@ public class DefaultServlet /* Open and read in file in one fell swoop to reduce chance * chance of leaving handle open. */ - if (globalXsltFile!=null) { - FileInputStream fis = null; - - try { - File f = new File(globalXsltFile); - if (f.exists()){ - fis =new FileInputStream(f); + if (globalXsltFile != null) { + File f = validateGlobalXsltFile(); + if (f != null){ + FileInputStream fis = null; + try { + fis = new FileInputStream(f); byte b[] = new byte[(int)f.length()]; /* danger! */ fis.read(b); - return new ByteArrayInputStream(b); + return new StreamSource(new ByteArrayInputStream(b)); + } finally { + if (fis != null) { + try { + fis.close(); + } catch (IOException ioe) { + if (debug > 10) { + log(ioe.getMessage(), ioe); + } + } + } } - } finally { - if (fis!=null) - fis.close(); } } @@ -1594,8 +1623,93 @@ public class DefaultServlet } - // -------------------------------------------------------- protected Methods + private File validateGlobalXsltFile() { + + File result = null; + String base = System.getProperty("catalina.base"); + + if (base != null) { + File baseConf = new File(base, "conf"); + result = validateGlobalXsltFile(baseConf); + } + + if (result == null) { + String home = System.getProperty("catalina.home"); + if (home != null && !home.equals(base)) { + File homeConf = new File(home, "conf"); + result = validateGlobalXsltFile(homeConf); + } + } + + return result; + } + + private File validateGlobalXsltFile(File base) { + File candidate = new File(globalXsltFile); + if (!candidate.isAbsolute()) { + candidate = new File(base, globalXsltFile); + } + + if (!candidate.isFile()) { + return null; + } + + // First check that the resulting path is under the provided base + try { + if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) { + return null; + } + } catch (IOException ioe) { + return null; + } + + // Next check that an .xsl or .xslt file has been specified + String nameLower = candidate.getName().toLowerCase(Locale.ENGLISH); + if (!nameLower.endsWith(".xslt") && !nameLower.endsWith(".xsl")) { + return null; + } + + return candidate; + } + + + private Source secureXslt(InputStream is) { + // Need to filter out any external entities + Source result = null; + try { + DocumentBuilder builder = factory.newDocumentBuilder(); + builder.setEntityResolver(secureEntityResolver); + Document document = builder.parse(is); + result = new DOMSource(document); + } catch (ParserConfigurationException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } catch (SAXException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } catch (IOException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } finally { + if (is != null) { + try { + is.close(); + } catch (IOException e) { + if (debug > 10) { + log(e.getMessage(), e); + } + } + } + } + return result; + } + + + // -------------------------------------------------------- protected Methods /** * Check if sendfile can be used. @@ -1624,8 +1738,8 @@ public class DefaultServlet return false; } } - - + + /** * Check if the if-match condition is satisfied. * @@ -2034,7 +2148,7 @@ public class DefaultServlet while ( (exception == null) && (ranges.hasNext()) ) { InputStream resourceInputStream = cacheEntry.resource.streamContent(); - + Reader reader; if (fileEncoding == null) { reader = new InputStreamReader(resourceInputStream); @@ -2238,10 +2352,6 @@ public class DefaultServlet } - - // ------------------------------------------------------ Range Inner Class - - protected class Range { public long start; @@ -2266,5 +2376,29 @@ public class DefaultServlet } + /** + * This is secure in the sense that any attempt to use an external entity + * will trigger an exception. + */ + private static class SecureEntityResolver implements EntityResolver2 { + public InputSource resolveEntity(String publicId, String systemId) + throws SAXException, IOException { + throw new SAXException(sm.getString("defaultServlet.blockExternalEntity", + publicId, systemId)); + } + + public InputSource getExternalSubset(String name, String baseURI) + throws SAXException, IOException { + throw new SAXException(sm.getString("defaultServlet.blockExternalSubset", + name, baseURI)); + } + + public InputSource resolveEntity(String name, String publicId, + String baseURI, String systemId) throws SAXException, + IOException { + throw new SAXException(sm.getString("defaultServlet.blockExternalEntity2", + name, publicId, baseURI, systemId)); + } + } } diff --git a/java/org/apache/catalina/servlets/LocalStrings.properties b/java/org/apache/catalina/servlets/LocalStrings.properties index a97b32c..e5a0f2e 100644 --- a/java/org/apache/catalina/servlets/LocalStrings.properties +++ b/java/org/apache/catalina/servlets/LocalStrings.properties @@ -13,6 +13,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +defaultServlet.blockExternalEntity=Blocked access to external entity with publicId [{0}] and systemId [{0}] +defaultServlet.blockExternalEntity2=Blocked access to external entity with name [{0}], publicId [{1}], baseURI [{2}] and systemId [{3}] +defaultServlet.blockExternalSubset=Blocked access to external subset with name [{0}] and baseURI [{1}] defaultServlet.missingResource=The requested resource ({0}) is not available defaultservlet.directorylistingfor=Directory Listing for: defaultservlet.upto=Up to: diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 0b1c2d6..38a0ebe 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -50,6 +50,12 @@ 55166: Fix regression that broke XML validation when running on some Java 5 JVMs. (kkolinko) + + Redefine the globalXsltFile initialisation parameter of the + DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. + Prevent user supplied XSLTs used by the DefaultServlet from defining + external entities. (markt) +
diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml index b398c2e..2d3a760 100644 --- a/webapps/docs/default-servlet.xml +++ b/webapps/docs/default-servlet.xml @@ -110,21 +110,23 @@ The DefaultServlet allows the following initParamters: globalXsltFile If you wish to customize your directory listing, you - can use an XSL transformation. This value is an absolute - file name which be used for all directory listings. - This can be overridden per context and/or per directory. See - contextXsltFile and localXsltFile - below. The format of the xml is shown below. + can use an XSL transformation. This value is a relative file name (to + either $CATALINA_BASE/conf/ or $CATALINA_HOME/conf/) which will be used + for all directory listings. This can be overridden per context and/or + per directory. See contextXsltFile and + localXsltFile below. The format of the xml is shown + below. contextXsltFile You may also customize your directory listing by context by - configuring contextXsltFile. This should be a context - relative path (e.g.: /path/to/context.xslt). This - overrides globalXsltFile. If this value is present but a - file does not exist, then globalXsltFile will be used. If + configuring contextXsltFile. This must be a context + relative path (e.g.: /path/to/context.xslt) to a file with + a .xsl or .xslt extension. This overrides + globalXsltFile. If this value is present but a file does + not exist, then globalXsltFile will be used. If globalXsltFile does not exist, then the default directory listing will be shown. @@ -133,11 +135,12 @@ The DefaultServlet allows the following initParamters: localXsltFile You may also customize your directory listing by directory by - configuring localXsltFile. This should be a relative - file name in the directory where the listing will take place. - This overrides globalXsltFile and - contextXsltFile. If this value is present but a file - does not exist, then contextXsltFile will be used. If + configuring localXsltFile. This must be a file in the + directory where the listing will take place to with a + .xsl or .xslt extension. This overrides + globalXsltFile and contextXsltFile. If this + value is present but a file does not exist, then + contextXsltFile will be used. If contextXsltFile does not exist, then globalXsltFile will be used. If globalXsltFile does not exist, then the default -- 2.17.1 debian/patches/CVE-2014-0119-2.patch0000664000000000000000000000572013357743133013405 0ustar From: kkolinko Date: Sun May 11 16:44:03 2014 UTC (4 years, 5 months ago) Description: Ensure TLD parser obtained from cache has correct value of blockExternal (r1590036 + r1590040 + r1590065) This is part 2 of 3 of the fix for CVE-2014-0119 --- .../apache/catalina/startup/TldConfig.java | 33 +++++++++---------- webapps/docs/changelog.xml | 4 +++ 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/java/org/apache/catalina/startup/TldConfig.java b/java/org/apache/catalina/startup/TldConfig.java index 90dd626..6eaaa16 100644 --- a/java/org/apache/catalina/startup/TldConfig.java +++ b/java/org/apache/catalina/startup/TldConfig.java @@ -136,30 +136,29 @@ public final class TldConfig implements LifecycleListener { /** * The Digesters available to process tld files. */ - private static Digester[] tldDigesters = new Digester[2]; + private static Digester[] tldDigesters = new Digester[4]; /** * Create (if necessary) and return a Digester configured to process the * tld. */ - private static Digester createTldDigester(boolean validation, + private static synchronized Digester createTldDigester(boolean validation, boolean blockExternal) { - Digester digester = null; - if (!validation) { - if (tldDigesters[0] == null) { - tldDigesters[0] = DigesterFactory.newDigester(validation, - true, new TldRuleSet(), blockExternal); - tldDigesters[0].getParser(); - } - digester = tldDigesters[0]; - } else { - if (tldDigesters[1] == null) { - tldDigesters[1] = DigesterFactory.newDigester(validation, - true, new TldRuleSet(), blockExternal); - tldDigesters[1].getParser(); - } - digester = tldDigesters[1]; + Digester digester; + int cacheIndex = 0; + if (validation) { + cacheIndex += 1; + } + if (blockExternal) { + cacheIndex += 2; + } + digester = tldDigesters[cacheIndex]; + if (digester == null) { + digester = DigesterFactory.newDigester(validation, + true, new TldRuleSet(), blockExternal); + digester.getParser(); + tldDigesters[cacheIndex] = digester; } return digester; } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index ffe677b..ccf3b8b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -60,6 +60,10 @@ Only create XML parsing objects if required and fix associated potential memory leak in the default Servlet. (markt) + + Ensure that a TLD parser obtained from the cache has the correct value + of blockExternal. (markt/kkolinko) + -- 2.17.1 debian/patches/0002-do-not-load-AJP13-connector-by-default.patch0000664000000000000000000000114012300245614021123 0ustar From: Thierry Carrez Date: Mon, 28 Jun 2010 21:32:21 +0200 Subject: [PATCH] do not load AJP13 connector by default --- conf/server.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/conf/server.xml b/conf/server.xml index 03894e7..500e39a 100644 --- a/conf/server.xml +++ b/conf/server.xml @@ -88,7 +88,9 @@ --> + debian/context/docs.xml0000664000000000000000000000163212300245614012325 0ustar debian/context/manager.xml0000664000000000000000000000166412300245614013014 0ustar