From d6213c255dd391fbe07a9fe00ffaf76014bfbfac Mon Sep 17 00:00:00 2001 From: Cesar Hernandez Date: Tue, 28 Jun 2022 15:00:32 -0600 Subject: [PATCH 1/3] Updated to Java 7 update 342 --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f5a138fd9582..947b403b340c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -41,7 +41,7 @@ jobs: run: unzip -qq tomcat6-build-libs-.zip -d /home/runner/ - name: replace java.7.home - run: sed -i.bak 's:.*java.7.home.*:java.7.home=/opt/hostedtoolcache/jdk/7.0.332/x64:' build.properties.default + run: sed -i.bak 's:.*java.7.home.*:java.7.home=/opt/hostedtoolcache/jdk/7.0.342/x64:' build.properties.default - name: ant_build run: ant From 6617b766c578b21298479e621616826b03d0a356 Mon Sep 17 00:00:00 2001 From: Mark Thomas Date: Thu, 23 Jun 2022 10:26:41 +0100 Subject: [PATCH 2/3] Fix CVE-2022-34305 XSS in the examples web application --- webapps/docs/changelog.xml | 4 ++++ webapps/examples/jsp/security/protected/index.jsp | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index e246921e7c81..15521b72fa56 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -145,6 +145,10 @@ 65235: Correct name of changeLocalName in the documentation for the RemoteIpValve. (markt) + + Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the + Form authentication example. (markt) + diff --git a/webapps/examples/jsp/security/protected/index.jsp b/webapps/examples/jsp/security/protected/index.jsp index 31122eb361fd..148f22b1a338 100644 --- a/webapps/examples/jsp/security/protected/index.jsp +++ b/webapps/examples/jsp/security/protected/index.jsp @@ -95,7 +95,10 @@ To add some data to the authenticated session, enter it here: while (names.hasMoreElements()) { String name = names.nextElement(); %> -<%= name %><%= session.getAttribute(name) %> + + <%= util.HTMLFilter.filter(name) %> + <%= util.HTMLFilter.filter(String.valueOf(session.getAttribute(name))) %> + <% } %> From f76f1481b920b1f910e0dba3b4f9dc93a127aba5 Mon Sep 17 00:00:00 2001 From: Cesar Hernandez Date: Tue, 28 Jun 2022 15:03:04 -0600 Subject: [PATCH 3/3] Prepare for release 7.0.109-TT.3 --- build.properties.default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.properties.default b/build.properties.default index de440cc4f53a..c6ab3daf7981 100644 --- a/build.properties.default +++ b/build.properties.default @@ -27,7 +27,7 @@ version.major=7 version.minor=0 version.build=109 version.patch=0 -version.suffix=-TT.2 +version.suffix=-TT.3 # ----- Source control flags ----- git.branch=7.0.x