www-servers/tomcat: backported patch from M7 which fixes NPE in StandardJarScanner.processManifest()

Package-Manager: portage-2.3.0_rc1
author: Miroslav Šulc <fordfrog@gentoo.org> 2016-05-19 21:58:16 +0200
committer: Miroslav Šulc <fordfrog@gentoo.org> 2016-05-19 21:58:35 +0200
commit: a7b38fffb499e7639620acd866ba5a249a3c6497 (patch)
tree: 6f8ffbb600aedc178bc42e8fee30f855164cd998 /www-servers
parent: sys-apps/pciutils: Removed old. (diff)
download: gentoo-a7b38fffb499e7639620acd866ba5a249a3c6497.tar.gz
gentoo-a7b38fffb499e7639620acd866ba5a249a3c6497.tar.bz2
gentoo-a7b38fffb499e7639620acd866ba5a249a3c6497.zip
2 files changed, 77 insertions, 1 deletions
diff --git a/www-servers/tomcat/files/tomcat-9.0.0_alpha6-processmanifest.patch b/www-servers/tomcat/files/tomcat-9.0.0_alpha6-processmanifest.patch
new file mode 100644
index 000000000000..fa38d5d27b39
--- /dev/null
+++ b/www-servers/tomcat/files/tomcat-9.0.0_alpha6-processmanifest.patch
@@ -0,0 +1,76 @@
+--- tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java	2016/05/04 11:07:55	1742251
++++ tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java	2016/05/17 07:18:38	1744194
+@@ -370,40 +370,42 @@
+         }
+ 
+         Manifest manifest = jar.getManifest();
+-        Attributes attributes = manifest.getMainAttributes();
+-        String classPathAttribute = attributes.getValue("Class-Path");
+-        if (classPathAttribute == null) {
+-            return;
+-        }
+-        String[] classPathEntries = classPathAttribute.split(" ");
+-        for (String classPathEntry : classPathEntries) {
+-            classPathEntry = classPathEntry.trim();
+-            if (classPathEntry.length() == 0) {
+-                continue;
++        if (manifest != null) {
++            Attributes attributes = manifest.getMainAttributes();
++            String classPathAttribute = attributes.getValue("Class-Path");
++            if (classPathAttribute == null) {
++                return;
+             }
+-            URL jarURL = jar.getJarFileURL();
+-            URI jarURI;
+-            try {
+-                jarURI = jarURL.toURI();
+-            } catch (URISyntaxException e) {
+-                if (log.isDebugEnabled()) {
+-                    log.debug(sm.getString("jarScan.invalidUri", jarURL));
++            String[] classPathEntries = classPathAttribute.split(" ");
++            for (String classPathEntry : classPathEntries) {
++                classPathEntry = classPathEntry.trim();
++                if (classPathEntry.length() == 0) {
++                    continue;
++                }
++                URL jarURL = jar.getJarFileURL();
++                URI jarURI;
++                try {
++                    jarURI = jarURL.toURI();
++                } catch (URISyntaxException e) {
++                    if (log.isDebugEnabled()) {
++                        log.debug(sm.getString("jarScan.invalidUri", jarURL));
++                    }
++                    continue;
+                 }
+-                continue;
++                /*
++                 * Note: Resolving the relative URLs from the manifest has the
++                 *       potential to introduce security concerns. However, since
++                 *       only JARs provided by the container and NOT those provided
++                 *       by web applications are processed, there should be no
++                 *       issues.
++                 *       If this feature is ever extended to include JARs provided
++                 *       by web applications, checks should be added to ensure that
++                 *       any relative URL does not step outside the web application.
++                 */
++                URI classPathEntryURI = jarURI.resolve(classPathEntry);
++                URL classPathEntryURL = classPathEntryURI.toURL();
++                classPathUrlsToProcess.add(classPathEntryURL);
+             }
+-            /*
+-             * Note: Resolving the relative URLs from the manifest has the
+-             *       potential to introduce security concerns. However, since
+-             *       only JARs provided by the container and NOT those provided
+-             *       by web applications are processed, there should be no
+-             *       issues.
+-             *       If this feature is ever extended to include JARs provided
+-             *       by web applications, checks should be added to ensure that
+-             *       any relative URL does not step outside the web application.
+-             */
+-            URI classPathEntryURI = jarURI.resolve(classPathEntry);
+-            URL classPathEntryURL = classPathEntryURI.toURL();
+-            classPathUrlsToProcess.add(classPathEntryURL);
+         }
+     }
+ 
diff --git a/www-servers/tomcat/tomcat-9.0.0_alpha6.ebuild b/www-servers/tomcat/tomcat-9.0.0_alpha6-r1.ebuild
index 438086b53a8a..21e76fb21acf 100644
--- a/www-servers/tomcat/tomcat-9.0.0_alpha6.ebuild
+++ b/www-servers/tomcat/tomcat-9.0.0_alpha6-r1.ebuild
@@ -52,7 +52,7 @@ java_prepare() {
 	# Remove bundled servlet-api
 	rm -rv java/javax/{el,servlet} || die
 
-	epatch "${FILESDIR}/${P}-build.xml.patch"
+	epatch "${FILESDIR}/${P}-build.xml.patch" "${FILESDIR}/${P}-processmanifest.patch"
 
 	# For use of catalina.sh in netbeans
 	sed -i -e "/^# ----- Execute The Requested Command/ a\
author	Miroslav Šulc <fordfrog@gentoo.org>	2016-05-19 21:58:16 +0200
committer	Miroslav Šulc <fordfrog@gentoo.org>	2016-05-19 21:58:35 +0200
commit	a7b38fffb499e7639620acd866ba5a249a3c6497 (patch)
tree	6f8ffbb600aedc178bc42e8fee30f855164cd998 /www-servers
parent	sys-apps/pciutils: Removed old. (diff)
download	gentoo-a7b38fffb499e7639620acd866ba5a249a3c6497.tar.gz gentoo-a7b38fffb499e7639620acd866ba5a249a3c6497.tar.bz2 gentoo-a7b38fffb499e7639620acd866ba5a249a3c6497.zip