File _service:tar_scm:CVE-2020-1938-4.patch of Package tomcat

From 5716044b61cb5b638d8f0de848ac64df03184bc7 Mon Sep 17 00:00:00 2001
From: wang_yue111 <wangyue92@huawei.com>
Date: Mon, 18 May 2020 15:23:19 +0800
Subject: [PATCH] 3

---
 conf/server.xml                                |  5 ++++-
 .../apache/coyote/ajp/AbstractAjpProtocol.java | 18 +++++++++---------
 java/org/apache/coyote/ajp/AjpProcessor.java   |  2 +-
 webapps/docs/config/ajp.xml                    |  2 +-
 4 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/conf/server.xml b/conf/server.xml
index fce8922..81a4e16 100644
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -113,7 +113,10 @@
     -->
 
     
-    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
+    <Connector protocol="AJP/1.3"
+               address="::1"
+               port="8009"
+               redirectPort="8443" />
 
 
     <!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
index a2f5e28..0bbd1e6 100644
--- a/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+++ b/java/org/apache/coyote/ajp/AbstractAjpProtocol.java
@@ -189,15 +189,15 @@ public abstract class AbstractAjpProtocol<S> extends AbstractProtocol<S> {
     }
 
 
-    private Pattern allowedArbitraryRequestAttributesPattern;
-    public void setAllowedArbitraryRequestAttributes(String allowedArbitraryRequestAttributes) {
-        this.allowedArbitraryRequestAttributesPattern = Pattern.compile(allowedArbitraryRequestAttributes);
-    }
-    public String getAllowedArbitraryRequestAttributes() {
-        return allowedArbitraryRequestAttributesPattern.pattern();
-    }
-    protected Pattern getAllowedArbitraryRequestAttributesPattern() {
-        return allowedArbitraryRequestAttributesPattern;
+    private Pattern allowedRequestAttributesPattern;                    
+    public void setAllowedRequestAttributesPattern(String allowedRequestAttributesPattern) {                    
+        this.allowedRequestAttributesPattern = Pattern.compile(allowedRequestAttributesPattern);
+   }
+    public String getAllowedRequestAttributesPattern() {                    
+        return allowedRequestAttributesPattern.pattern();
+   }
+    protected Pattern getAllowedRequestAttributesPatternInternal() {                    
+        return allowedRequestAttributesPattern;
     }
 
 
diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index cc11a20..bf2cf86 100644
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -746,7 +746,7 @@ public class AjpProcessor extends AbstractProcessor {
                 } else {
                     // All 'known' attributes will be processed by the previous
                     // blocks. Any remaining attribute is an 'arbitrary' one.
-                    Pattern pattern = protocol.getAllowedArbitraryRequestAttributesPattern();
+                    Pattern pattern = protocol.getAllowedRequestAttributesPatternInternal();
                     if (pattern == null) {
                         response.setStatus(403);
                         setErrorState(ErrorState.CLOSE_CLEAN, null);
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 17107e4..622e7ca 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -311,7 +311,7 @@
       port. By default, the loopback address will be used.</p>
     </attribute>
 
-    <attribute name="allowedArbitraryRequestAttributes" required="false">
+    <attribute name="allowedRequestAttributesPattern" required="false">
       <p>The AJP protocol passes some information from the reverse proxy to the
       AJP connector using request attributes. These attributes are:</p>
       <ul>
-- 
2.23.0