From 8360ad5456386b9c3fe2c13a5de14b16c32f9bfd Mon Sep 17 00:00:00 2001 From: Tim White Date: Thu, 28 Sep 2023 22:30:10 +1300 Subject: [PATCH 1/5] Fix broken test, as rev 3ad9e5e5d9 did in the jspwiki repo --- .../src/test/java/org/apache/wiki/WikiServletTest.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CVE-2019-0225/src/test/java/org/apache/wiki/WikiServletTest.java b/CVE-2019-0225/src/test/java/org/apache/wiki/WikiServletTest.java index ba7a580..297ced1 100644 --- a/CVE-2019-0225/src/test/java/org/apache/wiki/WikiServletTest.java +++ b/CVE-2019-0225/src/test/java/org/apache/wiki/WikiServletTest.java @@ -41,7 +41,7 @@ public void testDoGet() throws Exception { wikiServlet.doGet( req, res ); wikiServlet.destroy(); - Assertions.assertEquals( "/Wiki.jsp?page=wiki%2FWiki.jsp&", req.getForwardUrl() ); + Assertions.assertEquals( "/Wiki.jsp?page=Main&", req.getForwardUrl() ); } @Test @@ -56,7 +56,7 @@ public void testNastyDoPost() throws Exception { wikiServlet.doPost( req, res ); wikiServlet.destroy(); - Assertions.assertEquals( "/Wiki.jsp?page=Edit.jsp&", req.getForwardUrl() ); + Assertions.assertEquals( "/Wiki.jsp?page=Main&", req.getForwardUrl() ); } -} \ No newline at end of file +} From a53535085c7854dfdd7a251b05ca908d6a60d9ea Mon Sep 17 00:00:00 2001 From: Tim White Date: Thu, 28 Sep 2023 22:31:38 +1300 Subject: [PATCH 2/5] Fix last vulnerable version --- CVE-2019-0225/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CVE-2019-0225/pom.xml b/CVE-2019-0225/pom.xml index 7606e10..9f8518b 100755 --- a/CVE-2019-0225/pom.xml +++ b/CVE-2019-0225/pom.xml @@ -28,7 +28,7 @@ org.apache.jspwiki jspwiki-main - 2.11.0.M6 + 2.11.0.M2 From b0f271277a3e532cba14fe0d394774fce904db94 Mon Sep 17 00:00:00 2001 From: Tim White Date: Thu, 28 Sep 2023 22:33:53 +1300 Subject: [PATCH 3/5] Add fixVersion after confirming with `mvn clean test` --- CVE-2019-0225/pov-project.json | 1 + 1 file changed, 1 insertion(+) diff --git a/CVE-2019-0225/pov-project.json b/CVE-2019-0225/pov-project.json index f9ded43..f10847c 100644 --- a/CVE-2019-0225/pov-project.json +++ b/CVE-2019-0225/pov-project.json @@ -11,6 +11,7 @@ "2.11.0.M1", "2.11.0.M2" ], + "fixVersion": "2.11.0.M3", "testSignalWhenVulnerable": "failure", "references": [ "https://nvd.nist.gov/vuln/detail/CVE-2019-0225", From a24b7a8156535a77bd43ca4d38a4274af9a51318 Mon Sep 17 00:00:00 2001 From: Tim White Date: Thu, 28 Sep 2023 22:47:44 +1300 Subject: [PATCH 4/5] Change metadata to agree with pom.xml's artifactId --- CVE-2019-0225/pov-project.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CVE-2019-0225/pov-project.json b/CVE-2019-0225/pov-project.json index f10847c..0c0e41f 100644 --- a/CVE-2019-0225/pov-project.json +++ b/CVE-2019-0225/pov-project.json @@ -1,6 +1,6 @@ { "id": "CVE-2019-0225", - "artifact": "org.apache.jspwiki:jspwiki-war", + "artifact": "org.apache.jspwiki:jspwiki-main", "vulnerableVersions": [ "2.10.0", "2.10.1", From 38312fea76094b532ba08089744fe87ce11fe6f3 Mon Sep 17 00:00:00 2001 From: Tim White Date: Thu, 28 Sep 2023 22:57:28 +1300 Subject: [PATCH 5/5] Update README --- CVE-2019-0225/README.md | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/CVE-2019-0225/README.md b/CVE-2019-0225/README.md index 1770f9a..e735860 100644 --- a/CVE-2019-0225/README.md +++ b/CVE-2019-0225/README.md @@ -8,20 +8,7 @@ Some minor changes made: 1. JUnit version replaced by Junit5 with JUnit4 support through vintage 2. additional dependency providing mock APIs added: `net.sourceforge.stripes:stripes:1.7.0-async-beta` -Note that the tests __fail__ indicating the vulnerability! There is no later version of jspwiki available in the Maven repository that makes these tests -pass as APIs the tests depends on also change. In particular, the required class `org.apache.wiki.auth.TestAuthorizer` needs to implement additional methods -in `org.apache.wiki.auth.authorize.WebAuthorizer` in `org.apache.jspwiki:jspwiki-main:2.11.0.M7`. - -Also, in 2.11.0 , `WikiEngine` expects that *""JSPWiki requires a container which supports at least version 3.1 of Servlet specification"* and -enforces this by throwing an exception. However, the mock container provided in `net.sourceforge.stripes:stripes:1.7.0-async-beta` -only supports container version `2.*`. - - - - - - - - - +Note that the tests __fail__ indicating the vulnerability! +The commit, apache/jspwiki@88d89d6, that contains the original patch to fix the vulnerability also contains a new test -- but that test has a bug, which +was fixed a few minutes later in apache/jspwiki@3ad9e5e. Our test has the same fix.