Merged CVE-2007-450 warning logging from Jason Pyeron (issue 126)

diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index 155fc3bd73f157eb4302f7fd57e9ae3ea676ad3b..c6fc1b73dd89f08bc44c89c80127f2fa81871eff 100644 (file)
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -11,6 +11,7 @@ If you are updating from an earlier release AND you have indexed branches with t
 \r
 #### changes\r
 \r
+- Emit a warning in the log file if running on a Tomcat-based servlet container which is unfriendly to %2F forward-slash url encoding AND Gitblit is configured to mount parameters with %2F forward-slash url encoding (Github/jpyeron, issue 126)\r
 - LDAP admin attribute setting is now consistent with LDAP teams setting and admin teams list.  \r
 If *realm.ldap.maintainTeams==true* **AND** *realm.ldap.admins* is not empty, then User.canAdmin() is controlled by LDAP administrative team membership.  Otherwise, User.canAdmin() is controlled by Gitblit.\r
 \r

diff --git a/src/com/gitblit/GitBlit.java b/src/com/gitblit/GitBlit.java
index f8fbfefd14a107040ed55b82b30dcc1fb336c539..e6effc20a673591108a42a313e935f8e1b077151 100644 (file)
--- a/src/com/gitblit/GitBlit.java
+++ b/src/com/gitblit/GitBlit.java
@@ -88,6 +88,7 @@ import com.gitblit.models.TeamModel;
 import com.gitblit.models.UserModel;\r
 import com.gitblit.utils.ArrayUtils;\r
 import com.gitblit.utils.ByteFormat;\r
+import com.gitblit.utils.ContainerUtils;\r
 import com.gitblit.utils.DeepCopier;\r
 import com.gitblit.utils.FederationUtils;\r
 import com.gitblit.utils.JGitUtils;\r
@@ -2214,6 +2215,8 @@ public class GitBlit implements ServletContextListener {
                } catch (IllegalArgumentException e) {\r
                        logger.error("Failed to configure JGit parameters!", e);\r
                }\r
+\r
+               ContainerUtils.CVE_2007_0450.test();\r
        }\r
        \r
        private void logTimezone(String type, TimeZone zone) {\r

diff --git a/src/com/gitblit/utils/ContainerUtils.java b/src/com/gitblit/utils/ContainerUtils.java
new file mode 100755 (executable)
index 0000000..39ba6e0
--- /dev/null
+++ b/src/com/gitblit/utils/ContainerUtils.java
@@ -0,0 +1,135 @@
+/*\r
+ * Copyright 2012 PD Inc / gitblit.com.\r
+ *\r
+ * Licensed under the Apache License, Version 2.0 (the "License");\r
+ * you may not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ *\r
+ *     http://www.apache.org/licenses/LICENSE-2.0\r
+ *\r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS,\r
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ */\r
+package com.gitblit.utils;\r
+\r
+import java.io.CharConversionException;\r
+import java.lang.reflect.InvocationTargetException;\r
+import java.lang.reflect.Method;\r
+\r
+import org.slf4j.Logger;\r
+import org.slf4j.LoggerFactory;\r
+\r
+import com.gitblit.GitBlit;\r
+import com.gitblit.Keys;\r
+\r
+/**\r
+ * This is the support class for all container specific code.\r
+ * \r
+ * @author jpyeron\r
+ */\r
+public class ContainerUtils\r
+{\r
+    private static Logger LOGGER = LoggerFactory.getLogger(ContainerUtils.class);\r
+\r
+    /**\r
+     * The support class for managing and evaluating the environment with\r
+     * regards to CVE-2007-0405.\r
+     * \r
+     * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450\r
+     * @author jpyeron\r
+     */\r
+    public static class CVE_2007_0450\r
+    {\r
+        /**\r
+         * This method will test for know issues in certain containers where %2F\r
+         * is blocked from use in URLs. It will emit a warning to the logger if\r
+         * the configuration of Tomcat causes the URL processing to fail on %2F.\r
+         */\r
+        public static void test()\r
+        {\r
+            if (GitBlit.getBoolean(Keys.web.mountParameters, true)\r
+                    && ((GitBlit.getChar(Keys.web.forwardSlashCharacter, '/')) == '/' || (GitBlit.getChar(\r
+                            Keys.web.forwardSlashCharacter, '/')) == '\\'))\r
+            {\r
+                try\r
+                {\r
+                    if (GitBlit.isGO())\r
+                        ;\r
+                    else if (logCVE_2007_0450Tomcat())\r
+                        ;\r
+                    // else if (logCVE_2007_0450xxx());\r
+                    else\r
+                    {\r
+                        LOGGER.info("Unknown container, cannot check for CVE-2007-0450 aplicability");\r
+                    }\r
+                }\r
+                catch (Throwable t)\r
+                {\r
+                    LOGGER.warn("Failure in checking for CVE-2007-0450 aplicability", t);\r
+                }\r
+            }\r
+\r
+        }\r
+\r
+        /**\r
+         * This method will test for know issues in certain versions of Tomcat,\r
+         * JBOSS, glassfish, and other embedded uses of Tomcat where %2F is\r
+         * blocked from use in certain URL s. It will emit a warning to the\r
+         * logger if the configuration of Tomcat causes the URL processing to\r
+         * fail on %2F.\r
+         * \r
+         * @return true if it recognizes Tomcat, false if it does not recognize\r
+         *         Tomcat\r
+         */\r
+        private static boolean logCVE_2007_0450Tomcat()\r
+        {\r
+            try\r
+            {\r
+                byte[] test = "http://server.domain:8080/context/servlet/param%2fparam".getBytes();\r
+\r
+                // ByteChunk mb=new ByteChunk();\r
+                Class<?> cByteChunk = Class.forName("org.apache.tomcat.util.buf.ByteChunk");\r
+                Object mb = cByteChunk.newInstance();\r
+\r
+                // mb.setBytes(test, 0, test.length);\r
+                Method mByteChunck_setBytes = cByteChunk.getMethod("setBytes", byte[].class, int.class, int.class);\r
+                mByteChunck_setBytes.invoke(mb, test, (int) 0, test.length);\r
+\r
+                // UDecoder ud=new UDecoder();\r
+                Class<?> cUDecoder = Class.forName("org.apache.tomcat.util.buf.UDecoder");\r
+                Object ud = cUDecoder.newInstance();\r
+\r
+                // ud.convert(mb,false);\r
+                Method mUDecoder_convert = cUDecoder.getMethod("convert", cByteChunk, boolean.class);\r
+\r
+                try\r
+                {\r
+                    mUDecoder_convert.invoke(ud, mb, false);\r
+                }\r
+                catch (InvocationTargetException e)\r
+                {\r
+                    if (e.getTargetException() != null && e.getTargetException() instanceof CharConversionException)\r
+                    {\r
+                        LOGGER.warn("You are using a Tomcat based system and the current settings regarding CVE-2007-0450 will prevent certain fetures from working. Please see http://gitblit.com/faq.html and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450");\r
+                        return true;\r
+                    }\r
+                    throw e;\r
+                }\r
+            }\r
+            catch (Throwable t)\r
+            {\r
+                // The apache url decoder internals are different, this is not a\r
+                // Tomcat matching the failure pattern for CVE-2007-0450\r
+                if (t instanceof ClassNotFoundException || t instanceof NoSuchMethodException\r
+                        || t instanceof IllegalArgumentException)\r
+                    return false;\r
+                LOGGER.debug("This is a tomcat, but the test operation failed somehow", t);\r
+            }\r
+            return true;\r
+        }\r
+    }\r
+\r
+}\r