Fix CVE-2020-10775

CVE-2020-10775.patch

@@ -0,0 +1,91 @@
+diff -Naru a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java
+--- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java	2020-11-19 01:15:47.000000000 +0800
++++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java	2022-06-06 10:28:53.426920000 +0800
+@@ -8,6 +8,7 @@
+ 
+ import javax.naming.InitialContext;
+ import javax.naming.NamingException;
++import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServlet;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+@@ -41,7 +42,7 @@
+     }
+ 
+     @Override
+-    public void init() {
++    public void init() throws ServletException {
+         String strVal = getServletConfig().getInitParameter("login-as-admin");
+         if (strVal == null) {
+             throw new RuntimeException("No login-as-admin init parameter specified for SsoPostLoginServlet.");
+diff -Naru a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java
+--- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java	2020-11-19 01:15:47.000000000 +0800
++++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java	2022-06-06 10:27:53.774598000 +0800
+@@ -135,7 +135,6 @@
+         if (StringUtils.isNotBlank(alternateFqdnString)) {
+             Arrays.stream(alternateFqdnString.trim().split("\\s *"))
+                     .filter(StringUtils::isNotBlank)
+-                    .map(String::toLowerCase)
+                     .forEach(allowedDomains::add);
+         }
+ 
+@@ -144,7 +143,7 @@
+ 
+     private static String parseHostFromUrl(String url, String urlPropertyName) {
+         try {
+-            return new URI(url).getHost().toLowerCase();
++            return new URI(url).getHost();
+         } catch (URISyntaxException e) {
+             throw new IllegalStateException(urlPropertyName + " not a valid URI: " + url);
+         }
+diff -Naru a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java
+--- a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java	2020-11-19 01:15:47.000000000 +0800
++++ b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java	2022-06-06 10:26:52.261144000 +0800
+@@ -38,23 +38,6 @@
+     }
+ 
+     @Test
+-    public void shouldMatchAppUrlDomainOnAlternateSSOEngineUrlRegardlessUpperCase() {
+-        // given
+-        EngineLocalConfig.getInstance(new HashMap<>() {
+-            {
+-                put("SSO_ENGINE_URL", "https://engine.example.com:8221/ovirt-engine");
+-                put("SSO_ALTERNATE_ENGINE_FQDNS", "engine1.example.com ALTERNATE-engine.example.com");
+-            }
+-        });
+-
+-        // when
+-        boolean valid = SsoUtils.isDomainValid("https://alternate-engine.EXAMPLE.com:20001/somerest/api_v9");
+-
+-        // then
+-        Assertions.assertTrue(valid);
+-    }
+-
+-    @Test
+     public void shouldAllowBlankAppUrl() {
+         // given
+         EngineLocalConfig.getInstance(new HashMap<>() {
+@@ -103,23 +86,6 @@
+ 
+         // then
+         Assertions.assertTrue(valid);
+-    }
+-
+-    @Test
+-    public void shouldMatchAppUrlDomainOnSSOEngineUrlRegardlessUpperCase() {
+-        // given
+-        EngineLocalConfig.getInstance(new HashMap<>() {
+-            {
+-                put("SSO_ENGINE_URL", "https://engine.EXAMPLE.com:30003/ovirt-engine");
+-                put("SSO_ALTERNATE_ENGINE_FQDNS", "alternate-engine.example.com");
+-            }
+-        });
+-
+-        // when
+-        boolean valid = SsoUtils.isDomainValid("https://ENGINE.example.com:20001/somerest/api_v9");
+-
+-        // then
+-        Assertions.assertTrue(valid);
+     }
+ 
+     @Test

ovirt-engine.spec

@@ -176,7 +176,7 @@ getent passwd %1 >/dev/null || useradd -r -u %2 -g %3 -c %5 -s /sbin/nologin -d
 
 Name:		ovirt-engine
 Version:	4.4.4.1
-Release:	3
+Release:	4
 Summary:	Management server for Open Virtualization
 Group:		%{ovirt_product_group}
 License:	Apache 2.0
@@ -196,6 +196,7 @@ Patch3:         0003-add-virt-chipset-support.patch
 Patch4:         0004-fit-cluster-can-not-find-error-under-aarch64-platform.patch
 Patch5:         0005-fix-interface-report-an-error-when-emulatedMachine-is-null.patch
 Patch6:         0007-add-config-item-for-openeuler.patch
+Patch7:         CVE-2020-10775.patch
 BuildArch:	noarch
 
 BuildRequires:	assertj-core >= 2.2.0
@@ -653,6 +654,7 @@ Setup imageio service.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 sed -i '87s/@Test/\/\/@Test/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java
 sed -i '88s/@MockedConfig/\/\/@MockedConfig/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java
 sed -i '121s/@Test/\/\/@Test/g' backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AddClusterCommandTest.java
@@ -1302,6 +1304,9 @@ fi
 %{engine_data}/setup/bin/ovirt-engine-health
 
 %changelog
+* Fri May 27 2022 yanghuan <huan.yang@epro.com.cn> - 4.4.4.1-4
+- Fix CVE-2020-10775
+
 * Tue Nov 16 2021 Ge Wang <wangge20@huawei.com> - 4.4.4.1-3
 - Modify install require version and add confit item for openeuler