debian/0000775000000000000000000000000012603230213007160 5ustar debian/control0000664000000000000000000000320312603230176010571 0ustar Source: commons-httpclient Section: java Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Michael Koch , Kumar Appaiah , Varun Hiremath , Torsten Werner , Damien Raude-Morvan Build-Depends: debhelper (>= 7), cdbs Build-Depends-Indep: maven-repo-helper, ant, default-jdk, libcommons-codec-java, libcommons-logging-java, junit Standards-Version: 3.9.1 Vcs-Svn: svn://svn.debian.org/svn/pkg-java/trunk/commons-httpclient Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/trunk/commons-httpclient Homepage: http://hc.apache.org/httpclient-3.x Package: libcommons-httpclient-java Architecture: all Suggests: libcommons-httpclient-java-doc Depends: libcommons-logging-java, libcommons-codec-java, ${misc:Depends} Description: A Java(TM) library for creating HTTP clients The Jakarta Commons HTTPClient library provides an efficient, up-to-date, and feature-rich package implementing the client side of the most recent HTTP standards and recommendations. Package: libcommons-httpclient-java-doc Section: doc Architecture: all Depends: ${misc:Depends} Suggests: libcommons-httpclient-java Description: Documentation for libcommons-httpclient-java The Jakarta Commons HTTPClient library provides an efficient, up-to-date, and feature-rich package implementing the client side of the most recent HTTP standards and recommendations. . This package contains the documentation for the Jakarta Commons HTTPClient library. debian/README.source0000664000000000000000000000036311627130153011350 0ustar This package uses quilt to manage all modifications to the upstream source. Changes are stored in the source package as diffs in debian/patches and applied during the build. See /usr/share/doc/quilt/README.source for a detailed explanation. debian/pom.xml0000664000000000000000000001712311627130153010510 0ustar 4.0.0 commons-httpclient commons-httpclient HttpClient 3.1 The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily. http://jakarta.apache.org/httpcomponents/httpclient-3.x/ http://issues.apache.org/jira/browse/HTTPCLIENT
httpcomponents-dev@jakarta.apache.org
 2001 HttpComponents Developer List httpcomponents-dev-subscribe@jakarta.apache.org httpcomponents-dev-unsubscribe@jakarta.apache.org http://mail-archives.apache.org/mod_mbox/jakarta-httpcomponents-dev/ HttpClient User List httpclient-user-subscribe@jakarta.apache.org httpclient-user-unsubscribe@jakarta.apache.org http://mail-archives.apache.org/mod_mbox/jakarta-httpclient-user/ mbecke Michael Becke mbecke -at- apache.org Release Prime Java Developer jsdever Jeff Dever jsdever -at- apache.org Independent consultant 2.0 Release Prime Java Developer dion dIon Gillard dion -at- apache.org Multitask Consulting Java Developer oglueck Ortwin Glueck oglueck -at- apache.org http://www.odi.ch/ Java Developer jericho Sung-Gu jericho -at- apache.org Java Developer olegk Oleg Kalnichevski olegk -at- apache.org Java Developer sullis Sean C. Sullivan sullis -at- apache.org Independent consultant Java Developer adrian Adrian Sutton adrian.sutton -at- ephox.com Intencha Java Developer rwaldhoff Rodney Waldhoff rwaldhoff -at- apache Britannica Java Developer Armando Anton armando.anton -at- newknow.com Sebastian Bazley sebb -at- apache.org Ola Berg Sam Berlin sberlin -at- limepeer.com Mike Bowler Samit Jain jain.samit -at- gmail.com Eric Johnson eric -at- tibco.com Christian Kohlschuetter ck -at- newsclub.de Ryan Lubke Ryan.Lubke -at- Sun.COM Sam Maloney sam.maloney -at- filogix.com Rob Di Marco rdimarco -at- hmsonline.com Juergen Pill Juergen.Pill -at- softwareag.com Mohammad Rezaei mohammad.rezaei -at- gs.com Roland Weber rolandw -at- apache.org Laura Werner laura -at- lwerner.org Mikael Wilstrom mikael.wikstrom -at- it.su.se Apache License http://www.apache.org/licenses/LICENSE-2.0 scm:svn:http://svn.apache.org/repos/asf/jakarta/httpcomponents/oac.hc3x/trunk http://svn.apache.org/repos/asf/jakarta/httpcomponents/oac.hc3x/trunk Apache Software Foundation http://jakarta.apache.org/ src/java src/test src/resources src/test **/*.keystore maven-surefire-plugin **/TestAll.java junit junit 3.8.1 test commons-logging commons-logging 1.0.4 commons-codec commons-codec 1.2 default Default Site scp://people.apache.org//www/jakarta.apache.org/httpcomponents/httpclient-3.x/ converted debian/libcommons-httpclient-java-doc.doc-base.documentation0000664000000000000000000000064511627130153021443 0ustar Document: libcommons-httpclient-java-doc-documentation Title: Apache Jakarta Commons HttpClient Library Documentation Author: Jakarta Commons HttpClient Project Team Abstract: This is the documentation for the.Apache Jakarta Commons HttpClient Library Section: Programming Format: HTML Index: /usr/share/doc/libcommons-httpclient-java-doc/docs/index.html Files: /usr/share/doc/libcommons-httpclient-java-doc/docs/*.html debian/libcommons-httpclient-java-doc.doc-base.javadoc0000664000000000000000000000065711627130153020204 0ustar Document: libcommons-httpclient-java-doc-javadoc Title: API Javadoc for Apache Jakarta Commons HttpClient Library Author: Jakarta Commons HttpClient Project Team Abstract: This is the API Javadoc for the.Apache Jakarta Commons HttpClient Library Section: Programming Format: HTML Index: /usr/share/doc/libcommons-httpclient-java-doc/docs/apidocs/index.html Files: /usr/share/doc/libcommons-httpclient-java-doc/docs/apidocs/*.html debian/changelog0000664000000000000000000001660012603230213011035 0ustar commons-httpclient (3.1-10.2ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: improper certificate hostname verification - debian/patches/CVE-2014-3577.patch: fix Common Name logic in src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java. - CVE-2014-3577 * SECURITY UPDATE: denial of service via failure to set socket timeout - debian/patches/CVE-2015-5262.patch: respect configured timeout in src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java. - CVE-2015-5262 * debian/ant.properties: bump version to 1.5 to handle security fixes. -- Marc Deslauriers Thu, 01 Oct 2015 08:51:52 -0400 commons-httpclient (3.1-10.2) unstable; urgency=low * Non-maintainer upload. * Fix CVE-2012-5783 (Closes: #692442) * Fix CN extraction from DN of X500 principal. * Fix wildcard validation on ssl connections -- Alberto Fernández Martínez Thu, 6 Dec 2012 14:28:00 +0100 commons-httpclient (3.1-10.1) unstable; urgency=low * Non-maintainer upload. * Fix CVE-2012-5783 (Closes: #692442) -- Alberto Fernández Martínez Wed, 5 Dec 2012 17:28:00 +0100 commons-httpclient (3.1-10) unstable; urgency=low [ Damien Raude-Morvan ] * Remove Arnaud Vandyck from Uploaders * d/control: Drop Depends on any JRE as a Java library don't need to depends on a runtime (Java Policy) [ Torsten Werner ] * Switch to source format 3.0. * Update Standards-Version: 3.9.1. * Remove Barry from Uploaders list. -- Torsten Werner Tue, 30 Aug 2011 11:47:01 +0200 commons-httpclient (3.1-9) unstable; urgency=low * Add myself to Uploaders * Use quilt as patch system - Build-Depends on quilt - Add debian/README.source - Use CDBS patchsys-quilt.mk * New debian/patches/05_osgi_metadata.diff to include OSGi metadata in JAR (Closes: #558182) -- Damien Raude-Morvan Sun, 29 Nov 2009 01:06:18 +0100 commons-httpclient (3.1-8) unstable; urgency=low [Damien Raude-Morvan] * Fix debian/watch: use http://www.apache.org/dist/ [Onkar Shinde] * debian/patches/04_fix_classpath.patch - Add appropriate jar files in classpath using manifest attribute. (LP: #459251) * debian/ant.properties - Add properties to set target JVM version 1.4. -- Onkar Shinde Thu, 05 Nov 2009 09:50:19 +0530 commons-httpclient (3.1-7) unstable; urgency=low * Add myself to Uploaders. * Revert change from last upload: - Don't map version of commons-httpclient explicitly. (Closes: #551126, #551214, #551217, #551218, #551221, #551224, #551226, #551227, #551231, #551242) -- Torsten Werner Sat, 17 Oct 2009 19:44:10 +0200 commons-httpclient (3.1-6) unstable; urgency=low * Don't map version of commons-httpclient explicitly. * Added myself to Uploaders. * Updated Standards-Version to 3.8.3. -- Michael Koch Mon, 05 Oct 2009 12:23:44 +0200 commons-httpclient (3.1-5) unstable; urgency=low * Upload to unstable. -- Torsten Werner Sun, 09 Aug 2009 10:43:36 +0200 commons-httpclient (3.1-4) experimental; urgency=low * Add the Maven POM to the package * Add a Build-Depends-Indep dependency on maven-repo-helper * Use mh_installpom and mh_installjar to install the POM and the jar to the Maven repository -- Ludovic Claude Thu, 09 Jul 2009 17:40:18 +0100 commons-httpclient (3.1-3) unstable; urgency=low * Convert to default-jdk/jre (Closes: #508949) * Bump Standards-Version to 3.8.1 -- Varun Hiremath Thu, 07 May 2009 19:27:19 -0400 commons-httpclient (3.1-2) unstable; urgency=low * debian/watch: + Update to reflect new upstream mirror structure. (Closes: #459995) * debian/control: + Update my e-mail address to akumar@debian.org. + Standards Version is now 3.7.3. + Use Vcs-Svn and Vcs-Browser in place of XS-Vcs-*. + Depend on ant 1.6.5 and above, instead of 1.6.5-1. -- Kumar Appaiah Fri, 18 Apr 2008 13:25:36 +0530 commons-httpclient (3.1-1) unstable; urgency=low * New upstream release. * Acknowledge NMU. Thanks to Michael Meskes for the upload. * debian/ant.properties: + Correct Java directory spelling. * debian/control: + Add Varun Hiremath and Kumar Appaiah to Uploaders. + Add XS-Vcs-Browser and XS-Vcs-Browser. + Move section of libcommons-httpclient-doc to doc. + Add Homepage Field. * debian/patches: + Remove 00b_build_xml_dont_copy_lib_dir.patch + Update patches/01_build_xml_version_jar.patch and patches/02_upstream_disable_examples_classes.patch for the new upstream version * debian/rules: + Remove dependence on package version; use DEB_UPSTREAM_VERSION for version * debian/libcommons-httpclient-java.install: + Not needed, since functionality written in debian.rules. * debian/watch + Update watch file to new upstream tarball directory. * debian/libcommons-httpclient-java.link: + Not needed, since functionality written in debian.rules. * Upstream has fixed some RFC violations. (Closes: #329245) * Remove .cvsignore files. -- Kumar Appaiah Thu, 20 Sep 2007 20:14:02 +0530 commons-httpclient (3.0.1-0.1) unstable; urgency=low * Non-maintainer upload. * Bump debhelper Build-Depends to (>= 4.1.0) as required by cdbs' debhelper.mk * Put the coppyright holders in debian/copyright * Include the jar file in the package. (Closes: #381354) * Only include one copy of the docs. done by James Westby Mon, 14 Aug 2006 02:29:47 +0100 -- Michael Meskes Fri, 15 Sep 2006 20:07:43 +0200 commons-httpclient (3.0.1-0) unstable; urgency=low * New upstream (closes: #340307) * Build with cdbs and java-gcj-compat-dev * Updated to Standards-Version 3.7.2; split build-dep and build-dep-indep. * Added libcommons-codec-java to build-dep. * Using simple-patchsys and no more dpatch -- Arnaud Vandyck Mon, 31 Jul 2006 17:11:32 +0200 commons-httpclient (2.0.2-2) unstable; urgency=low * Provide non-version-specific symlink "commons-httpclient.jar" to commons-httpclient-2.0.2.jar per Debian Java Policy Section 2.4 (Closes: 340308) * Added additional doc-base entry to point to main section of Jakarta Commons HttpClient documentation in addition to the API Javadoc * Maintainer email address updated for Barry Hawkins * Upload sponsored by Petter Reinholdtsen -- Barry Hawkins Fri, 25 Nov 2005 13:12:23 -0500 commons-httpclient (2.0.2-1) unstable; urgency=low * New upstream release and moved to main (Closes: #301789) * Removed dependency upon non-free compilers (Closes: 306744) * Updated version of Apache License to 2.0 * Package updated to reflect maintainership under Debian Java Maintainers * Upload sponsored by Petter Reinholdtsen -- Barry Hawkins Tue, 13 Sep 2005 23:14:01 -0400 commons-httpclient (2.0a1+20020904-1) unstable; urgency=low * New upstream release, with actual source (closes: #160262) -- Stephen Peters Wed, 4 Sep 2002 22:18:18 -0400 commons-httpclient (2.0a1-1) unstable; urgency=low * Initial Release. -- Stephen Peters Wed, 1 May 2002 13:31:44 -0400 debian/libcommons-httpclient-java.dirs0000664000000000000000000000001711627130153015305 0ustar usr/share/java debian/source/0000775000000000000000000000000011627215220010466 5ustar debian/source/format0000664000000000000000000000001411627130455011702 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000211627130153010365 0ustar 7 debian/libcommons-httpclient-java-doc.docs0000664000000000000000000000001411627130153016034 0ustar docs README debian/patches/0000775000000000000000000000000012603230176010617 5ustar debian/patches/05_osgi_metadata0000664000000000000000000000251411627130153013650 0ustar --- a/src/conf/MANIFEST.MF +++ b/src/conf/MANIFEST.MF @@ -4,3 +4,23 @@ Implementation-Vendor: Apache Software Foundation Implementation-Version: @version@ Class-Path: commons-codec.jar commons-logging.jar commons-logging-api.jar commons-logging-adapters.jar +Bundle-Vendor: HTTPClient +Bundle-Localization: plugin +Bundle-RequiredExecutionEnvironment: CDC-1.0/Foundation-1.0,J2SE-1.2 +Bundle-Name: HTTPClient +Bundle-SymbolicName: org.apache.commons.httpclient +Export-Package: org.apache.commons.httpclient;version="3.1.0",org.apac + he.commons.httpclient.auth;version="3.1.0",org.apache.commons.httpcli + ent.cookie;version="3.1.0",org.apache.commons.httpclient.methods;vers + ion="3.1.0",org.apache.commons.httpclient.methods.multipart;version=" + 3.1.0",org.apache.commons.httpclient.params;version="3.1.0",org.apach + e.commons.httpclient.protocol;version="3.1.0",org.apache.commons.http + client.util;version="3.1.0" +Bundle-Version: 3.1.0 +Bundle-ManifestVersion: 2 +Import-Package: javax.crypto;resolution:=optional,javax.crypto.spec;re + solution:=optional,javax.net;resolution:=optional,javax.net.ssl;resol + ution:=optional,org.apache.commons.codec;version="[1.2.0,2.0.0)",org. + apache.commons.codec.binary;version="[1.2.0,2.0.0)",org.apache.common + s.codec.net;version="[1.2.0,2.0.0)",org.apache.commons.logging;versio + n="[1.0.4,2.0.0)" debian/patches/03_upstream_qualify_ConnectionPool_declaration.patch0000775000000000000000000000104311627130153023112 0ustar --- a/src/java/org/apache/commons/httpclient/MultiThreadedHttpConnectionManager.java +++ b/src/java/org/apache/commons/httpclient/MultiThreadedHttpConnectionManager.java @@ -1025,7 +1025,7 @@ private static class ConnectionSource { /** The connection pool that created the connection */ - public ConnectionPool connectionPool; + public MultiThreadedHttpConnectionManager.ConnectionPool connectionPool; /** The connection's host configuration */ public HostConfiguration hostConfiguration; debian/patches/CVE-2014-3577.patch0000664000000000000000000001013512603230176013244 0ustar From: Markus Koschany Date: Mon, 23 Mar 2015 22:45:14 +0100 Subject: CVE-2014-3577 It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. This means the issue is now completely resolved by applying this patch and the 06_fix_CVE-2012-5783.patch. References: upstream announcement: https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 Fedora-Fix: http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch CentOS-Fix: https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch Debian-Bug: https://bugs.debian.org/758086 Forwarded: not-needed, already fixed --- .../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++++-------- 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java index fa0acc7..e6ce513 100644 --- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -44,9 +44,15 @@ import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Locale; -import java.util.StringTokenizer; +import java.util.NoSuchElementException; import java.util.regex.Pattern; +import javax.naming.InvalidNameException; +import javax.naming.NamingException; +import javax.naming.directory.Attribute; +import javax.naming.directory.Attributes; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; import javax.net.ssl.SSLException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; @@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { return dots; } - private static String getCN(X509Certificate cert) { - // Note: toString() seems to do a better job than getName() - // - // For example, getName() gives me this: - // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d - // - // whereas toString() gives me this: - // EMAILADDRESS=juliusdavies@cucbc.com - String subjectPrincipal = cert.getSubjectX500Principal().toString(); - - return getCN(subjectPrincipal); - + private static String getCN(final X509Certificate cert) { + final String subjectPrincipal = cert.getSubjectX500Principal().toString(); + try { + return extractCN(subjectPrincipal); + } catch (SSLException ex) { + return null; + } } - private static String getCN(String subjectPrincipal) { - StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); - while(st.hasMoreTokens()) { - String tok = st.nextToken().trim(); - if (tok.length() > 3) { - if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { - return tok.substring(3); + + private static String extractCN(final String subjectPrincipal) throws SSLException { + if (subjectPrincipal == null) { + return null; + } + try { + final LdapName subjectDN = new LdapName(subjectPrincipal); + final List rdns = subjectDN.getRdns(); + for (int i = rdns.size() - 1; i >= 0; i--) { + final Rdn rds = rdns.get(i); + final Attributes attributes = rds.toAttributes(); + final Attribute cn = attributes.get("cn"); + if (cn != null) { + try { + final Object value = cn.get(); + if (value != null) { + return value.toString(); + } + } catch (NoSuchElementException ignore) { + } catch (NamingException ignore) { + } } } + } catch (InvalidNameException e) { + throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); } return null; } debian/patches/CVE-2015-5262.patch0000664000000000000000000000273712603230176013247 0ustar Description: Respect configured SO_TIMEOUT during SSL handshake. Origin: https://bugzilla.redhat.com/attachment.cgi?id=1072467&action=diff diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java index e6ce513..b7550a2 100644 --- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { } int timeout = params.getConnectionTimeout(); if (timeout == 0) { - Socket sslSocket = createSocket(host, port, localAddress, localPort); + Socket sslSocket = SSLSocketFactory.getDefault().createSocket( + host, port, localAddress, localPort); + sslSocket.setSoTimeout(params.getSoTimeout()); verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } else { @@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { sslSocket = ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } + sslSocket.setSoTimeout(params.getSoTimeout()); verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } debian/patches/06_fix_CVE-2012-5783.patch0000664000000000000000000003142312060117600014412 0ustar Description: Fixed CN extraction from DN of X500 principal and wildcard validation commons-httpclient (3.1-10.2) unstable; urgency=low * Fixed CN extraction from DN of X500 principal and wildcard validation Author: Alberto Fernández Martínez Origin: other Bug-Debian: http://bugs.debian.org/692442 Forwarded: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 Last-Update: <2012-12-06> --- commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -31,10 +31,25 @@ package org.apache.commons.httpclient.protocol; import java.io.IOException; +import java.io.InputStream; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.regex.Pattern; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import org.apache.commons.httpclient.ConnectTimeoutException; @@ -55,6 +70,11 @@ public class SSLProtocolSocketFactory im */ private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory(); + // This is a a sorted list, if you insert new elements do it orderdered. + private final static String[] BAD_COUNTRY_2LDS = + {"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info", + "lg", "ne", "net", "or", "org"}; + /** * Gets an singleton instance of the SSLProtocolSocketFactory. * @return a SSLProtocolSocketFactory @@ -79,12 +99,14 @@ public class SSLProtocolSocketFactory im InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { - return SSLSocketFactory.getDefault().createSocket( + Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port, clientHost, clientPort ); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; } /** @@ -124,16 +146,19 @@ public class SSLProtocolSocketFactory im } int timeout = params.getConnectionTimeout(); if (timeout == 0) { - return createSocket(host, port, localAddress, localPort); + Socket sslSocket = createSocket(host, port, localAddress, localPort); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; } else { // To be eventually deprecated when migrated to Java 1.4 or above - Socket socket = ReflectionSocketFactory.createSocket( + Socket sslSocket = ReflectionSocketFactory.createSocket( "javax.net.ssl.SSLSocketFactory", host, port, localAddress, localPort, timeout); - if (socket == null) { - socket = ControllerThreadSocketFactory.createSocket( + if (sslSocket == null) { + sslSocket = ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } - return socket; + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; } } @@ -142,10 +167,12 @@ public class SSLProtocolSocketFactory im */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { - return SSLSocketFactory.getDefault().createSocket( + Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port ); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; } /** @@ -157,13 +184,271 @@ public class SSLProtocolSocketFactory im int port, boolean autoClose) throws IOException, UnknownHostException { - return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( + Socket sslSocket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( socket, host, port, autoClose ); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; } + + + + + /** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */ + + private static void verifyHostName(String host, SSLSocket ssl) + throws IOException { + if (host == null) { + throw new IllegalArgumentException("host to verify was null"); + } + + SSLSession session = ssl.getSession(); + if (session == null) { + // In our experience this only happens under IBM 1.4.x when + // spurious (unrelated) certificates show up in the server's chain. + // Hopefully this will unearth the real problem: + InputStream in = ssl.getInputStream(); + in.available(); + /* + If you're looking at the 2 lines of code above because you're + running into a problem, you probably have two options: + + #1. Clean up the certificate chain that your server + is presenting (e.g. edit "/etc/apache2/server.crt" or + wherever it is your server's certificate chain is + defined). + + OR + + #2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a + non-IBM JVM. + */ + + // If ssl.getInputStream().available() didn't cause an exception, + // maybe at least now the session is available? + session = ssl.getSession(); + if (session == null) { + // If it's still null, probably a startHandshake() will + // unearth the real problem. + ssl.startHandshake(); + + // Okay, if we still haven't managed to cause an exception, + // might as well go for the NPE. Or maybe we're okay now? + session = ssl.getSession(); + } + } + + Certificate[] certs = session.getPeerCertificates(); + verifyHostName(host.trim().toLowerCase(Locale.US), (X509Certificate) certs[0]); + } + /** + * Extract the names from the certificate and tests host matches one of them + * @param host + * @param cert + * @throws SSLException + */ + + private static void verifyHostName(final String host, X509Certificate cert) + throws SSLException { + // I'm okay with being case-insensitive when comparing the host we used + // to establish the socket to the hostname in the certificate. + // Don't trim the CN, though. + + String cn = getCN(cert); + String[] subjectAlts = getDNSSubjectAlts(cert); + verifyHostName(host, cn.toLowerCase(Locale.US), subjectAlts); + + } + + /** + * Extract all alternative names from a certificate. + * @param cert + * @return + */ + private static String[] getDNSSubjectAlts(X509Certificate cert) { + LinkedList subjectAltList = new LinkedList(); + Collection c = null; + try { + c = cert.getSubjectAlternativeNames(); + } catch (CertificateParsingException cpe) { + // Should probably log.debug() this? + cpe.printStackTrace(); + } + if (c != null) { + Iterator it = c.iterator(); + while (it.hasNext()) { + List list = (List) it.next(); + int type = ((Integer) list.get(0)).intValue(); + // If type is 2, then we've got a dNSName + if (type == 2) { + String s = (String) list.get(1); + subjectAltList.add(s); + } + } + } + if (!subjectAltList.isEmpty()) { + String[] subjectAlts = new String[subjectAltList.size()]; + subjectAltList.toArray(subjectAlts); + return subjectAlts; + } else { + return new String[0]; + } + + } + /** + * Verifies + * @param host + * @param cn + * @param subjectAlts + * @throws SSLException + */ + + private static void verifyHostName(final String host, String cn, String[] subjectAlts)throws SSLException{ + StringBuffer cnTested = new StringBuffer(); + + for (int i = 0; i < subjectAlts.length; i++){ + String name = subjectAlts[i]; + if (name != null) { + name = name.toLowerCase(); + if (verifyHostName(host, name)){ + return; + } + cnTested.append("/").append(name); + } + } + if (cn != null && verifyHostName(host, cn)){ + return; + } + cnTested.append("/").append(cn); + throw new SSLException("hostname in certificate didn't match: <" + + host + "> != <" + cnTested + ">"); + + } + + private static boolean verifyHostName(final String host, final String cn){ + if (doWildCard(cn) && !isIPAddress(host)) { + return matchesWildCard(cn, host); + } + return host.equalsIgnoreCase(cn); + } + private static boolean doWildCard(String cn) { + // Contains a wildcard + // wildcard in the first block + // not an ipaddress (ip addres must explicitily be equal) + // not using 2nd level common tld : ex: not for *.co.uk + String parts[] = cn.split("\\."); + return parts.length >= 3 && + parts[0].endsWith("*") && + acceptableCountryWildcard(cn) && + !isIPAddress(cn); + } + + + private static final Pattern IPV4_PATTERN = + Pattern.compile("^(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}$"); + + private static final Pattern IPV6_STD_PATTERN = + Pattern.compile("^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$"); + + private static final Pattern IPV6_HEX_COMPRESSED_PATTERN = + Pattern.compile("^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$"); + + + private static boolean isIPAddress(final String hostname) { + return hostname != null + && ( + IPV4_PATTERN.matcher(hostname).matches() + || IPV6_STD_PATTERN.matcher(hostname).matches() + || IPV6_HEX_COMPRESSED_PATTERN.matcher(hostname).matches() + ); + + } + + private static boolean acceptableCountryWildcard(final String cn) { + // The CN better have at least two dots if it wants wildcard action, + // but can't be [*.co.uk] or [*.co.jp] or [*.org.uk], etc... + // The [*.co.uk] problem is an interesting one. Should we just + // hope that CA's would never foolishly allow such a + // certificate to happen? + + String[] parts = cn.split("\\."); + // Only checks for 3 levels, with country code of 2 letters. + if (parts.length > 3 || parts[parts.length - 1].length() != 2) { + return true; + } + String countryCode = parts[parts.length - 2]; + return Arrays.binarySearch(BAD_COUNTRY_2LDS, countryCode) < 0; + } + + private static boolean matchesWildCard(final String cn, + final String hostName) { + String parts[] = cn.split("\\."); + boolean match = false; + String firstpart = parts[0]; + if (firstpart.length() > 1) { + // server∗ + // e.g. server + String prefix = firstpart.substring(0, firstpart.length() - 1); + // skipwildcard part from cn + String suffix = cn.substring(firstpart.length()); + // skip wildcard part from host + String hostSuffix = hostName.substring(prefix.length()); + match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix); + } else { + match = hostName.endsWith(cn.substring(1)); + } + if (match) { + // I f we're in strict mode , + // [ ∗.foo.com] is not allowed to match [a.b.foo.com] + match = countDots(hostName) == countDots(cn); + } + return match; + } + + private static int countDots(final String data) { + int dots = 0; + for (int i = 0; i < data.length(); i++) { + if (data.charAt(i) == '.') { + dots += 1; + } + } + return dots; + } + + private static String getCN(X509Certificate cert) { + // Note: toString() seems to do a better job than getName() + // + // For example, getName() gives me this: + // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d + // + // whereas toString() gives me this: + // EMAILADDRESS=juliusdavies@cucbc.com + String subjectPrincipal = cert.getSubjectX500Principal().toString(); + + return getCN(subjectPrincipal); + + } + private static String getCN(String subjectPrincipal) { + StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); + while(st.hasMoreTokens()) { + String tok = st.nextToken().trim(); + if (tok.length() > 3) { + if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { + return tok.substring(3); + } + } + } + return null; + } /** * All instances of SSLProtocolSocketFactory are the same. debian/patches/series0000664000000000000000000000041712603230176012036 0ustar 00_build_xml_no_external_links.patch 01_build_xml_version_jar.patch 02_upstream_disable_examples_classes.patch 03_upstream_qualify_ConnectionPool_declaration.patch 04_fix_classpath.patch 05_osgi_metadata 06_fix_CVE-2012-5783.patch CVE-2014-3577.patch CVE-2015-5262.patch debian/patches/02_upstream_disable_examples_classes.patch0000664000000000000000000000066311627130153021103 0ustar --- a/build.xml +++ b/build.xml @@ -188,7 +188,8 @@ destdir ="${build.home}/examples" debug ="${compile.debug}" deprecation ="${compile.deprecation}" - optimize ="${compile.optimize}"> + optimize ="${compile.optimize}" + excludes ="MultipartFileUploadApp.java,ClientApp.java"> debian/patches/00_build_xml_no_external_links.patch0000664000000000000000000000046211627130153017715 0ustar --- a/build.xml +++ b/build.xml @@ -250,8 +250,6 @@ bottom ="Copyright (c) 1999-2005 - Apache Software Foundation" > - - debian/patches/01_build_xml_version_jar.patch0000664000000000000000000000077111627130153016524 0ustar --- a/build.xml +++ b/build.xml @@ -149,7 +149,7 @@ - debian/patches/04_fix_classpath.patch0000664000000000000000000000044211627130153014772 0ustar --- a/src/conf/MANIFEST.MF +++ b/src/conf/MANIFEST.MF @@ -3,4 +3,4 @@ Specification-Version: 1.0 Implementation-Vendor: Apache Software Foundation Implementation-Version: @version@ - +Class-Path: commons-codec.jar commons-logging.jar commons-logging-api.jar commons-logging-adapters.jar debian/ant.properties0000664000000000000000000000023012603230176012063 0ustar # JSSE stub classes required for build lib.dir=/usr/share/java #jsse.jar=/usr/share/java/jsse.jar ant.build.javac.source=1.5 ant.build.javac.target=1.5 debian/libcommons-httpclient-java.docs0000664000000000000000000000000711627130153015273 0ustar README debian/copyright0000664000000000000000000000321711627130153011125 0ustar This package was debianized by Stephen Peters on Wed, 1 May 2002 13:34:02 +0500. It was downloaded from http://hc.apache.org/httpclient-3.x Upstream Authors: Michael Becke , Jeff Dever , dIon Gillard , Ortwin Glueck , Sung-Gu , Oleg Kalnichevski , Sean C. Sullivan , Adrian Sutton , Rodney Waldhoff , Armando Anton , Sebastian Bazley , Ola Berg, Sam Berlin , Mike Bowler, Samit Jain , Eric Johnson , Christian Kohlschuetter , Ryan Lubke , Sam Maloney , Rob Di Marco , Juergen Pill , Mohammad Rezaei , Roland Weber , Laura Werner , Mikael Wilstrom Copyright: 2001-2008 The Apache Software Foundation License: Apache 2.0 On Debian systems the full text of the Apache License can be found in `/usr/share/common-licenses/Apache-2.0'. debian/watch0000664000000000000000000000035611627130153010224 0ustar version=3 http://www.apache.org/dist/httpcomponents/commons-httpclient/source/commons-httpclient-([\d\.]+)-src.tar.gz #http://apache.oc1.mirrors.redwire.net/httpcomponents/commons-httpclient/source/commons-httpclient-([\d\.]+)-src.tar.gz debian/README.Debian0000664000000000000000000000045611627130153011235 0ustar In order to use the SSL-based HTTPS protocol with it, you will need to download and install an implementation of the JSSE (http://java.sun.com/products/jsee). Installing the JSSE is not required in order to use the standard unencrypted HTTP protocol, however. -- Stephen Peters debian/maven.rules0000664000000000000000000000012411627130153011346 0ustar junit junit jar s/3\..*/3.x/ commons-httpclient commons-httpclient jar s/3\..*/3.x/ debian/libcommons-httpclient-java-doc.dirs0000664000000000000000000000005511627130153016052 0ustar usr/share/doc/libcommons-httpclient-java-doc debian/libcommons-httpclient-java.poms0000664000000000000000000000003311627130153015320 0ustar debian/pom.xml --no-parent debian/rules0000775000000000000000000000162311627130451010252 0ustar #!/usr/bin/make -f # debian/rules for libcommons-httpclient-java (uses CDBS) include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/ant.mk PACKAGE := $(DEB_SOURCE_PACKAGE) VERSION := $(DEB_UPSTREAM_VERSION) JAVA_HOME := /usr/lib/jvm/default-java DEB_JARS := junit commons-logging commons-codec DEB_ANT_BUILD_TARGET := dist DEB_INSTALL_CHANGELOGS_ALL = RELEASE_NOTES.txt binary-post-install/lib$(PACKAGE)-java:: mh_installpoms -plib$(PACKAGE)-java mh_installjar -plib$(PACKAGE)-java -l debian/pom.xml dist/$(PACKAGE)-$(VERSION).jar get-orig-pom: wget -O debian/pom.xml http://repository.sonatype.org/service/local/repositories/central/content/commons-httpclient/commons-httpclient/$(DEB_UPSTREAM_VERSION)/commons-httpclient-$(DEB_UPSTREAM_VERSION).pom get-orig-source: -uscan --download-version $(DEB_UPSTREAM_VERSION) --force-download --rename