From a0841985b4c6c82688e5ee3ee91ca71a98c7b0e1 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Thu, 28 Oct 2021 15:14:24 +0800
Subject: [PATCH] fix CVE-2019-3888

(cherry picked from commit eb08a2a33edb37b781d72efc0e850c0645da8bd6)
---
 CVE-2019-3888.patch | 22 ++++++++++++++++++++++
 undertow.spec       |  7 ++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-3888.patch

diff --git a/CVE-2019-3888.patch b/CVE-2019-3888.patch
new file mode 100644
index 0000000..cef7214
--- /dev/null
+++ b/CVE-2019-3888.patch
@@ -0,0 +1,22 @@
+From ac72df4e61b73d205c6cc5ad08226fa4c889ccc2 Mon Sep 17 00:00:00 2001
+From: Michael Bolz <michael.bolz@sap.com>
+Date: Tue, 1 Oct 2019 06:45:17 +0200
+Subject: [PATCH] [UNDERTOW-1515] HttpServerExchange.toString does not include
+ headers
+
+---
+ core/src/main/java/io/undertow/server/HttpServerExchange.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/src/main/java/io/undertow/server/HttpServerExchange.java b/core/src/main/java/io/undertow/server/HttpServerExchange.java
+index d933eb7811..a2763ed6ab 100644
+--- a/core/src/main/java/io/undertow/server/HttpServerExchange.java
++++ b/core/src/main/java/io/undertow/server/HttpServerExchange.java
+@@ -2443,6 +2443,6 @@ public T create() {
+ 
+     @Override
+     public String toString() {
+-        return "HttpServerExchange{ " + getRequestMethod().toString() + " " + getRequestURI() + " request " + requestHeaders + " response " + responseHeaders + '}';
++        return "HttpServerExchange{ " + getRequestMethod().toString() + " " + getRequestURI() + '}';
+     }
+ }
diff --git a/undertow.spec b/undertow.spec
index 06d8b22..daa0fe6 100644
--- a/undertow.spec
+++ b/undertow.spec
@@ -2,7 +2,7 @@
 %global namedversion %{version}%{?namedreltag}
 Name:                undertow
 Version:             1.4.0
-Release:             2
+Release:             3
 Summary:             Java web server using non-blocking IO
 License:             ASL 2.0
 URL:                 http://undertow.io/
@@ -10,6 +10,7 @@ Source0:             https://github.com/undertow-io/undertow/archive/%{namedvers
 # Remove unavailable methods in jetty-alpn-api-1.1.0
 Patch0:              undertow-1.4.0-jetty-alpn-api-1.1.0.patch
 Patch1:		     CVE-2020-10705.patch
+Patch2:              CVE-2019-3888.patch
 BuildArch:           noarch
 Epoch:               1
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api)
@@ -34,6 +35,7 @@ This package contains the API documentation for %{name}.
 %setup -q -n %{name}-%{namedversion}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 rm -rf mac-jdk-fix
 %pom_disable_module examples
 %pom_remove_plugin -r :maven-checkstyle-plugin
@@ -62,6 +64,9 @@ done
 %license LICENSE.txt
 
 %changelog
+* Wed Oct 28 2021 wangkai <wangkai385@huawei.com> - 1.4.0-3
+- Fix CVE-2019-3888
+
 * Wed Oct 27 2021 houyingchao <houyingchao@huawei.com> - 1.4.0-2
 - Fix CVE-2020-10705
 
-- 
Gitee