From 3f042f5064934667c90e66cad059a474641a9747 Mon Sep 17 00:00:00 2001 From: peng2285 Date: Wed, 28 Dec 2022 10:31:23 +0800 Subject: [PATCH] Fix CVE-2022-2047 and CVE-2022-2048 modified: jetty.spec --- CVE-2022-2047.patch | 326 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2022-2048.patch | 47 +++++++ jetty.spec | 7 +- 3 files changed, 379 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-2047.patch create mode 100644 CVE-2022-2048.patch diff --git a/CVE-2022-2047.patch b/CVE-2022-2047.patch new file mode 100644 index 0000000..64a7a9a --- /dev/null +++ b/CVE-2022-2047.patch @@ -0,0 +1,326 @@ +From: Markus Koschany +Date: Wed, 17 Aug 2022 12:58:27 +0200 +Subject: CVE-2022-2047 + +Origin: https://github.com/eclipse/jetty.project/pull/8146 +--- + .../java/org/eclipse/jetty/client/HttpRequest.java | 8 +- + .../eclipse/jetty/client/HttpClientURITest.java | 45 ++++++++++ + .../main/java/org/eclipse/jetty/http/HttpURI.java | 25 +++++- + .../java/org/eclipse/jetty/http/HttpURITest.java | 95 ++++++++++++++++++++++ + .../org/eclipse/jetty/proxy/ConnectHandler.java | 2 +- + .../java/org/eclipse/jetty/server/Request.java | 14 +++- + .../eclipse/jetty/server/HttpConnectionTest.java | 12 +-- + 7 files changed, 187 insertions(+), 14 deletions(-) + +diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java +index f6a453f..2d2afa0 100644 +--- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java ++++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java +@@ -177,6 +177,8 @@ public class HttpRequest implements Request + String rawPath = uri.getRawPath(); + if (rawPath == null) + rawPath = ""; ++ if (!rawPath.startsWith("/")) ++ rawPath = "/" + rawPath; + this.path = rawPath; + String query = uri.getRawQuery(); + if (query != null) +@@ -855,14 +857,14 @@ public class HttpRequest implements Request + return result; + } + +- private URI newURI(String uri) ++ private URI newURI(String path) + { + try + { + // Handle specially the "OPTIONS *" case, since it is possible to create a URI from "*" (!). +- if ("*".equals(uri)) ++ if ("*".equals(path)) + return null; +- URI result = new URI(uri); ++ URI result = new URI(path); + return result.isOpaque() ? null : result; + } + catch (URISyntaxException x) +diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java +index 9c43512..5a97bdd 100644 +--- a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java ++++ b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java +@@ -189,7 +189,7 @@ public class HttpURI + _uri=uri; + + if (HttpMethod.CONNECT.is(method)) +- _path=uri; ++ parse(State.HOST, uri, 0, uri.length()); + else + parse(uri.startsWith("/")?State.PATH:State.START,uri,0,uri.length()); + } +@@ -720,17 +720,30 @@ public class HttpURI + */ + public void setAuthority(String host, int port) + { ++ if (host != null && !isPathValidForAuthority(_path)) ++ throw new IllegalArgumentException("Relative path with authority"); + _host=host; + _port=port; + _uri=null; + } + ++ private boolean isPathValidForAuthority(String path) ++ { ++ if (path == null) ++ return true; ++ if (path.isEmpty() || "*".equals(path)) ++ return true; ++ return path.startsWith("/"); ++ } ++ + /* ------------------------------------------------------------ */ + /** + * @param path the path + */ + public void setPath(String path) + { ++ if (hasAuthority() && !isPathValidForAuthority(path)) ++ throw new IllegalArgumentException("Relative path with authority"); + _uri=null; + _path=path; + _decodedPath=null; +@@ -739,6 +752,8 @@ public class HttpURI + /* ------------------------------------------------------------ */ + public void setPathQuery(String path) + { ++ if (hasAuthority() && !isPathValidForAuthority(path)) ++ throw new IllegalArgumentException("Relative path with authority"); + _uri=null; + _path=null; + _decodedPath=null; +@@ -747,7 +762,13 @@ public class HttpURI + if (path!=null) + parse(State.PATH,path,0,path.length()); + } +- ++ ++ private boolean hasAuthority() ++ { ++ return _host != null; ++ } ++ ++ + /* ------------------------------------------------------------ */ + public void setQuery(String query) + { +diff --git a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java +index 63a58cf..6c3e65f 100644 +--- a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java ++++ b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpURITest.java +@@ -32,6 +32,15 @@ import java.nio.charset.StandardCharsets; + import org.eclipse.jetty.util.MultiMap; + import org.junit.jupiter.api.Test; + ++import org.junit.jupiter.params.ParameterizedTest; ++import org.junit.jupiter.params.provider.Arguments; ++import org.junit.jupiter.params.provider.MethodSource; ++import static org.junit.jupiter.api.Assertions.assertEquals; ++import static org.junit.jupiter.api.Assertions.assertThrows; ++import static org.junit.jupiter.api.Assertions.assertTrue; ++import static org.junit.jupiter.api.Assertions.fail; ++import static org.junit.jupiter.api.Assumptions.assumeTrue; ++ + public class HttpURITest + { + @Test +@@ -100,6 +109,32 @@ public class HttpURITest + assertThat(uri.getPath(),is("/bar")); + } + ++ @Test ++ public void testCONNECT() ++ { ++ HttpURI uri = new HttpURI(); ++ ++ uri.parseRequestTarget("CONNECT", "host:80"); ++ assertThat(uri.getHost(), is("host")); ++ assertThat(uri.getPort(), is(80)); ++ assertThat(uri.getPath(), nullValue()); ++ ++ uri.parseRequestTarget("CONNECT", "host"); ++ assertThat(uri.getHost(), is("host")); ++ assertThat(uri.getPort(), is(-1)); ++ assertThat(uri.getPath(), nullValue()); ++ ++ uri.parseRequestTarget("CONNECT", "192.168.0.1:8080"); ++ assertThat(uri.getHost(), is("192.168.0.1")); ++ assertThat(uri.getPort(), is(8080)); ++ assertThat(uri.getPath(), nullValue()); ++ ++ uri.parseRequestTarget("CONNECT", "[::1]:8080"); ++ assertThat(uri.getHost(), is("[::1]")); ++ assertThat(uri.getPort(), is(8080)); ++ assertThat(uri.getPath(), nullValue()); ++ } ++ + @Test + public void testExtB() throws Exception + { +@@ -222,4 +257,64 @@ public class HttpURITest + assertEquals(uri.getAuthority(), "example.com:8888"); + assertEquals(uri.getUser(), "user:password"); + } ++ ++ @Test ++ public void testRelativePathWithAuthority() ++ { ++ assertThrows(IllegalArgumentException.class, () -> ++ { ++ HttpURI httpURI = new HttpURI(); ++ httpURI.setAuthority("host", 0); ++ httpURI.setPath("path"); ++ }); ++ assertThrows(IllegalArgumentException.class, () -> ++ { ++ HttpURI httpURI = new HttpURI(); ++ httpURI.setAuthority("host", 8080); ++ httpURI.setPath(";p=v/url"); ++ }); ++ assertThrows(IllegalArgumentException.class, () -> ++ { ++ HttpURI httpURI = new HttpURI(); ++ httpURI.setAuthority("host", 0); ++ httpURI.setPath(";"); ++ }); ++ ++ assertThrows(IllegalArgumentException.class, () -> ++ { ++ HttpURI httpURI = new HttpURI(); ++ httpURI.setPath("path"); ++ httpURI.setAuthority("host", 0); ++ }); ++ assertThrows(IllegalArgumentException.class, () -> ++ { ++ HttpURI httpURI = new HttpURI(); ++ httpURI.setPath(";p=v/url"); ++ httpURI.setAuthority("host", 8080); ++ }); ++ assertThrows(IllegalArgumentException.class, () -> ++ { ++ HttpURI httpURI = new HttpURI(); ++ httpURI.setPath(";"); ++ httpURI.setAuthority("host", 0); ++ }); ++ ++ HttpURI uri = new HttpURI(); ++ uri.setPath("*"); ++ uri.setAuthority("host", 0); ++ assertEquals("//host*", uri.toString()); ++ uri = new HttpURI(); ++ uri.setAuthority("host", 0); ++ uri.setPath("*"); ++ assertEquals("//host*", uri.toString()); ++ ++ uri = new HttpURI(); ++ uri.setPath(""); ++ uri.setAuthority("host", 0); ++ assertEquals("//host", uri.toString()); ++ uri = new HttpURI(); ++ uri.setAuthority("host", 0); ++ uri.setPath(""); ++ assertEquals("//host", uri.toString()); ++ } + } +diff --git a/jetty-proxy/src/main/java/org/eclipse/jetty/proxy/ConnectHandler.java b/jetty-proxy/src/main/java/org/eclipse/jetty/proxy/ConnectHandler.java +index 6b7d39e..d3dd5c8 100644 +--- a/jetty-proxy/src/main/java/org/eclipse/jetty/proxy/ConnectHandler.java ++++ b/jetty-proxy/src/main/java/org/eclipse/jetty/proxy/ConnectHandler.java +@@ -197,7 +197,7 @@ public class ConnectHandler extends HandlerWrapper + { + if (HttpMethod.CONNECT.is(request.getMethod())) + { +- String serverAddress = request.getRequestURI(); ++ String serverAddress = baseRequest.getHttpURI().getAuthority(); + if (LOG.isDebugEnabled()) + LOG.debug("CONNECT request for {}", serverAddress); + +diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java b/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java +index b15bcc7..5b996bb 100644 +--- a/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java ++++ b/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java +@@ -1778,9 +1778,19 @@ public class Request implements HttpServletRequest + + setMethod(request.getMethod()); + HttpURI uri = request.getURI(); +- _originalURI = uri.isAbsolute()&&request.getHttpVersion()!=HttpVersion.HTTP_2?uri.toString():uri.getPathQuery(); ++ String encoded; ++ if (HttpMethod.CONNECT.is(request.getMethod())) ++ { ++ _originalURI = uri.getAuthority(); ++ encoded = "/"; ++ } ++ else ++ { ++ _originalURI = uri.isAbsolute() && request.getHttpVersion() != HttpVersion.HTTP_2 ? uri.toString() : uri.getPathQuery(); ++ encoded = uri.getPath(); ++ } ++ + +- String encoded = uri.getPath(); + String path; + if (encoded==null) + { +diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java +index 918a112..22391f7 100644 +--- a/jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java ++++ b/jetty-server/src/test/java/org/eclipse/jetty/server/HttpConnectionTest.java +@@ -365,7 +365,7 @@ public class HttpConnectionTest + public void testBadPathDotDotPath() throws Exception + { + String response=connector.getResponse("GET /ooops/../../path HTTP/1.0\r\nHost: localhost:80\r\n\n"); +- checkContains(response,0,"HTTP/1.1 400 Bad URI"); ++ checkContains(response,0,"HTTP/1.1 400"); + } + + @Test +@@ -380,28 +380,28 @@ public class HttpConnectionTest + public void testBadPathEncodedDotDotPath() throws Exception + { + String response=connector.getResponse("GET /ooops/%2e%2e/%2e%2e/path HTTP/1.0\r\nHost: localhost:80\r\n\n"); +- checkContains(response,0,"HTTP/1.1 400 Bad URI"); ++ checkContains(response,0,"HTTP/1.1 400"); + } + + @Test + public void testBadDotDotPath() throws Exception + { + String response=connector.getResponse("GET ../path HTTP/1.0\r\nHost: localhost:80\r\n\n"); +- checkContains(response,0,"HTTP/1.1 400 Bad URI"); ++ checkContains(response,0,"HTTP/1.1 400"); + } + + @Test + public void testBadSlashDotDotPath() throws Exception + { + String response=connector.getResponse("GET /../path HTTP/1.0\r\nHost: localhost:80\r\n\n"); +- checkContains(response,0,"HTTP/1.1 400 Bad URI"); ++ checkContains(response,0,"HTTP/1.1 400"); + } + + @Test + public void testEncodedBadDotDotPath() throws Exception + { + String response=connector.getResponse("GET %2e%2e/path HTTP/1.0\r\nHost: localhost:80\r\n\n"); +- checkContains(response,0,"HTTP/1.1 400 Bad URI"); ++ checkContains(response,0,"HTTP/1.1 400"); + } + + @Test +@@ -1168,7 +1168,7 @@ public class HttpConnectionTest + "12345\r\n"+ + "0;\r\n" + + "\r\n"); +- checkContains(response,offset,"HTTP/1.1 400 Bad Request"); ++ checkContains(response,offset,"HTTP/1.1 400"); + } + catch (Exception e) + { diff --git a/CVE-2022-2048.patch b/CVE-2022-2048.patch new file mode 100644 index 0000000..42fbca2 --- /dev/null +++ b/CVE-2022-2048.patch @@ -0,0 +1,47 @@ +From: Markus Koschany +Date: Wed, 17 Aug 2022 12:59:00 +0200 +Subject: CVE-2022-2048 + +Origin: https://github.com/eclipse/jetty.project/issues/7935 +--- + .../jetty/http2/server/HttpChannelOverHTTP2.java | 12 +- + .../org/eclipse/jetty/http2/server/BadURITest.java | 153 +++++++++++++++++++++ + 2 files changed, 157 insertions(+), 8 deletions(-) + create mode 100644 jetty-http2/http2-server/src/test/java/org/eclipse/jetty/http2/server/BadURITest.java + +diff --git a/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java b/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java +index 03b082e..3548497 100644 +--- a/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java ++++ b/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java +@@ -143,13 +143,11 @@ public class HttpChannelOverHTTP2 extends HttpChannel implements Closeable, Writ + } + catch (BadMessageException x) + { +- onBadMessage(x); +- return null; ++ return () -> onBadMessage(x); + } + catch (Throwable x) + { +- onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x)); +- return null; ++ return () -> onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x)); + } + } + +@@ -175,13 +173,11 @@ public class HttpChannelOverHTTP2 extends HttpChannel implements Closeable, Writ + } + catch (BadMessageException x) + { +- onBadMessage(x); +- return null; ++ return () -> onBadMessage(x); + } + catch (Throwable x) + { +- onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x)); +- return null; ++ return () -> onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x)); + } + } + diff --git a/jetty.spec b/jetty.spec index 3470520..fd46985 100644 --- a/jetty.spec +++ b/jetty.spec @@ -12,7 +12,7 @@ %bcond_with jp_minimal Name: jetty Version: 9.4.16 -Release: 2 +Release: 3 Summary: Java Webserver and Servlet Container License: ASL 2.0 or EPL-1.0 or EPL-2.0 URL: http://www.eclipse.org/jetty/ @@ -26,6 +26,8 @@ Patch1: CVE-2020-27223.patch Patch2: CVE-2021-28165.patch Patch3: CVE-2021-28169.patch Patch4: CVE-2021-34428.patch +Patch5: CVE-2022-2047.patch +Patch6: CVE-2022-2048.patch BuildRequires: maven-local mvn(javax.servlet:javax.servlet-api) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) @@ -786,6 +788,9 @@ exit 0 %license LICENSE NOTICE.txt LICENSE-MIT %changelog +* Wed Dec 28 2022 jiangpeng - 9.4.16-3 +- Fix CVE-2022-2047 and CVE-2022-2048 + * Mon Oct 24 2022 yaoxin - 9.4.16-2 - fix selfbuild error -- Gitee