master

分支 (22)

标签 (16)

管理

管理

master

issue-compile-with-openjdk11

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP1

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP4

openEuler-23.03

openEuler-23.09

openEuler-24.03-LTS

openEuler-24.03-LTS-Next

openEuler-24.09

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP4

openEuler-21.09

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-22.03-LTS

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

resteasy
/
CVE-2020-10688-1.patch

From 7dcc7b2e7938433b8edea3ce9ada867532beb236 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Wed, 9 Jun 2021 17:25:36 +0800
Subject: [PATCH] 2

---
 .../core/StringParameterInjector.java         | 23 ++++++++++++++-----
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
index b7178f6..537ae0d 100755
--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
+++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/core/StringParameterInjector.java
@@ -15,6 +15,7 @@ import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.ext.ParamConverter;
 import javax.ws.rs.ext.RuntimeDelegate;

+import java.io.UnsupportedEncodingException;
 import java.lang.annotation.Annotation;
 import java.lang.reflect.AccessibleObject;
 import java.lang.reflect.Array;
@@ -24,6 +25,8 @@ import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
 import java.lang.reflect.ParameterizedType;
 import java.lang.reflect.Type;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -298,7 +301,7 @@ public class StringParameterInjector
       catch (Exception e)
       {
          LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
-         throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
+         throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), e);
       }
       if (paramConverter != null)
       {
@@ -325,12 +328,12 @@ public class StringParameterInjector
          catch (InstantiationException e)
          {
             LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), e);
          }
          catch (IllegalAccessException e)
          {
             LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), e);
          }
          catch (InvocationTargetException e)
          {
@@ -340,7 +343,7 @@ public class StringParameterInjector
                throw ((WebApplicationException)targetException);
             }
             LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), targetException);
          }
       }
       else if (valueOf != null)
@@ -352,7 +355,7 @@ public class StringParameterInjector
          catch (IllegalAccessException e)
          {
             LogMessages.LOGGER.unableToExtractParameter(e, getParamSignature(), strVal, target);
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), e);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), e);
          }
          catch (InvocationTargetException e)
          {
@@ -362,12 +365,20 @@ public class StringParameterInjector
                throw ((WebApplicationException)targetException);
             }
             LogMessages.LOGGER.unableToExtractParameter(targetException, getParamSignature(), strVal, target);
-            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), strVal), targetException);
+            throwProcessingException(Messages.MESSAGES.unableToExtractParameter(getParamSignature(), _encode(strVal)), targetException);
          }
       }
       return null;
    }

+   private String _encode(String strVal) {
+      try {
+         return URLEncoder.encode(strVal, StandardCharsets.UTF_8.toString());
+      } catch (UnsupportedEncodingException e) {
+	 return e.getMessage();
+      }
+   }
+
    protected void throwProcessingException(String message, Throwable cause)
    {
       throw new BadRequestException(message, cause);
--
2.23.0