fix CVE-2020-10688

2021-06-10 09:59:00 +08:00 · 2021-06-10 09:59:00 +08:00 · 65b889fd98
commit 65b889fd98
parent 1eeb9b531f
3 changed files with 134 additions and 1 deletions
--- a/CVE-2020-10688-1.patch
+++ b/CVE-2020-10688-1.patch
@ -0,0 +1,97 @@
+From 7dcc7b2e7938433b8edea3ce9ada867532beb236 Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Wed, 9 Jun 2021 17:25:36 +0800
+Subject: [PATCH] 2
+
+---
+ .../core/StringParameterInjector.java         | 23 ++++++++++++++-----
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+index b7178f6..537ae0d 100755
+--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+@@ -15,6 +15,7 @@ import javax.ws.rs.WebApplicationException;
+ import javax.ws.rs.ext.ParamConverter;
+ import javax.ws.rs.ext.RuntimeDelegate;
+ 
+import java.io.UnsupportedEncodingException;
+ import java.lang.annotation.Annotation;
+ import java.lang.reflect.AccessibleObject;
+ import java.lang.reflect.Array;
+@@ -24,6 +25,8 @@ import java.lang.reflect.Method;
+ import java.lang.reflect.Modifier;
+ import java.lang.reflect.ParameterizedType;
+ import java.lang.reflect.Type;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+ import java.util.ArrayList;
+ import java.util.Collection;
+ import java.util.Collections;
+@@ -298,7 +301,7 @@ public class StringParameterInjector
+       catch (Exception e)
+       {
+          LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+-         throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
+         throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), e);
+       }
+       if (paramConverter != null)
+       {
+@@ -325,12 +328,12 @@ public class StringParameterInjector
+          catch (InstantiationException e)
+          {
+             LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), e);
+          }
+          catch (IllegalAccessException e)
+          {
+             LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);  
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), e);  
+          }
+          catch (InvocationTargetException e)
+          {
+@@ -340,7 +343,7 @@ public class StringParameterInjector
+                throw ((WebApplicationException)targetException);
+             }
+             LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
+-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), targetException);
+          }
+       }
+       else if (valueOf != null)
+@@ -352,7 +355,7 @@ public class StringParameterInjector
+          catch (IllegalAccessException e)
+          {
+             LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
+-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), e);
+          }
+          catch (InvocationTargetException e)
+          {
+@@ -362,12 +365,20 @@ public class StringParameterInjector
+                throw ((WebApplicationException)targetException);
+             }
+             LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
+-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), targetException);
+          }
+       }
+       return null;
+    }
+ 
+   private String _encode(String strVal) {
+      try {
+         return URLEncoder.encode(strVal, StandardCharsets.UTF_8.toString());
+      } catch (UnsupportedEncodingException e) {
+	 return e.getMessage();
+      }
+   }
+
+    protected void throwProcessingException(String message, Throwable cause)
+    {
+       throw new BadRequestException(message, cause);
+-- 
+2.23.0
+
--- a/CVE-2020-10688-2.patch
+++ b/CVE-2020-10688-2.patch
@ -0,0 +1,28 @@
+From c6aac87508a99b0e5514da687abdb1ba246f3839 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E9=98=BF=E7=94=B7?= <l.weinan@gmail.com>
+Date: Thu, 12 Mar 2020 12:13:17 +0800
+Subject: [PATCH] update
+
+---
+ .../java/org/jboss/resteasy/core/StringParameterInjector.java | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+index 537ae0d..fbfd5d4 100755
+--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+@@ -373,9 +373,9 @@ public class StringParameterInjector
+ 
+    private String _encode(String strVal) {
+       try {
+-         return URLEncoder.encode(strVal, StandardCharsets.UTF_8.toString());
+         return URLEncoder.encode(strVal, StandardCharsets.UTF_8.name());
+       } catch (UnsupportedEncodingException e) {
+-	 return e.getMessage();
+        throw new RuntimeException(e);
+       }
+    }
+ 
+-- 
+2.23.0
+
--- a/resteasy.spec
+++ b/resteasy.spec
@ -2,7 +2,7 @@
 %global namedversion %{version}%{namedreltag}
 Name:                resteasy
 Version:             3.0.19
-Release:             3
+Release:             4
 Summary:             Framework for RESTful Web services and Java applications
 License:             ASL 2.0 and CDDL
 URL:                 https://github.com/resteasy/Resteasy/
@ -11,6 +11,9 @@ Patch0:              resteasy-3.0.19-Mime4j-0.7.2-support.patch
 Patch1:              resteasy-3.0.19-port-resteasy-netty-to-netty-3.10.6.patch
 Patch2:              CVE-2016-9606.patch
 Patch3:              CVE-2021-20289.patch
+Patch4:              CVE-2020-10688-1.patch
+Patch5:              CVE-2020-10688-2.patch
+
 BuildArch:           noarch
 BuildRequires:       maven-local mvn(com.beust:jcommander) mvn(com.fasterxml:classmate)
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-annotations)
@ -198,6 +201,8 @@ find -name '*.jar' -print -delete
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
+%patch5 -p1
 %pom_disable_module resteasy-spring jaxrs
 %pom_disable_module fastinfoset jaxrs/providers
 %pom_disable_module examples jaxrs
@ -332,6 +337,9 @@ done
 %license jaxrs/License.html

 %changelog
+* Thu Jun 10 2021 wangyue <wangyue92@huawei.com> - 3.0.19-4
+- fix CVE-2020-10688
+
 * Thu Apr 22 2021 lingsheng <lingsheng@huawei.com> - 3.0.19-3
 - fix CVE-2021-20289