7:02 p.m.
Author: aogburn
Date: 2014-04-11 13:01:59 -0400 (Fri, 11 Apr 2014)
New Revision: 2403
Modified:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/Request.java
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpAprProcessor.java
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpProcessor.java
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11AprProcessor.java
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11NioProcessor.java
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11Processor.java
Log:
[BZ-1086847] commit CVE-2013-4286 fix
Modified:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/Request.java
===================================================================
---
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/Request.java 2014-04-11
16:31:54 UTC (rev 2402)
+++
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/Request.java 2014-04-11
17:01:59 UTC (rev 2403)
@@ -288,7 +288,7 @@
}
- public void setContentLength(int len) {
+ public void setContentLength(long len) {
this.contentLength = len;
}
Property changes on:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/Request.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/coyote/Request.java:2323
Modified:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpAprProcessor.java
===================================================================
---
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpAprProcessor.java 2014-04-11
16:31:54 UTC (rev 2402)
+++
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpAprProcessor.java 2014-04-11
17:01:59 UTC (rev 2403)
@@ -28,6 +28,8 @@
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.coyote.ActionCode;
import org.apache.coyote.ActionHook;
import org.apache.coyote.Adapter;
@@ -721,6 +723,7 @@
// Decode headers
MimeHeaders headers = request.getMimeHeaders();
+ boolean contentLengthSet = false;
int hCount = requestHeaderMessage.getInt();
for(int i = 0 ; i < hCount ; i++) {
String hName = null;
@@ -755,8 +758,15 @@
if (hId == Constants.SC_REQ_CONTENT_LENGTH ||
(hId == -1 &&
tmpMB.equalsIgnoreCase("Content-Length"))) {
- // just read the content-length header, so set it
- request.setContentLength( vMB.getInt() );
+ long cl = vMB.getLong();
+ if (contentLengthSet) {
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ error = true;
+ } else {
+ contentLengthSet = true;
+ // Set the content-length header for the request
+ request.setContentLength(cl);
+ }
} else if (hId == Constants.SC_REQ_CONTENT_TYPE ||
(hId == -1 &&
tmpMB.equalsIgnoreCase("Content-Type"))) {
// just read the content-type header, so set it
Property changes on:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpAprProcessor.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/coyote/ajp/AjpAprProcessor.java:2323
Modified:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpProcessor.java
===================================================================
---
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpProcessor.java 2014-04-11
16:31:54 UTC (rev 2402)
+++
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpProcessor.java 2014-04-11
17:01:59 UTC (rev 2403)
@@ -30,6 +30,8 @@
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.coyote.ActionCode;
import org.apache.coyote.ActionHook;
import org.apache.coyote.Adapter;
@@ -735,6 +737,7 @@
// Decode headers
MimeHeaders headers = request.getMimeHeaders();
+ boolean contentLengthSet = false;
int hCount = requestHeaderMessage.getInt();
for(int i = 0 ; i < hCount ; i++) {
String hName = null;
@@ -769,8 +772,15 @@
if (hId == Constants.SC_REQ_CONTENT_LENGTH ||
(hId == -1 &&
tmpMB.equalsIgnoreCase("Content-Length"))) {
- // just read the content-length header, so set it
- request.setContentLength( vMB.getInt() );
+ long cl = vMB.getLong();
+ if (contentLengthSet) {
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ error = true;
+ } else {
+ contentLengthSet = true;
+ // Set the content-length header for the request
+ request.setContentLength(cl);
+ }
} else if (hId == Constants.SC_REQ_CONTENT_TYPE ||
(hId == -1 &&
tmpMB.equalsIgnoreCase("Content-Type"))) {
// just read the content-type header, so set it
Property changes on:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/ajp/AjpProcessor.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/coyote/ajp/AjpProcessor.java:2323
Modified:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
---
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11AprProcessor.java 2014-04-11
16:31:54 UTC (rev 2402)
+++
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11AprProcessor.java 2014-04-11
17:01:59 UTC (rev 2403)
@@ -1468,10 +1468,19 @@
// Parse content-length header
long contentLength = request.getContentLengthLong();
- if (contentLength >= 0 && !contentDelimitation) {
- inputBuffer.addActiveFilter
- (inputFilters[Constants.IDENTITY_FILTER]);
- contentDelimitation = true;
+ if (contentLength >= 0) {
+ if (contentDelimitation) {
+ // contentDelimitation being true at this point indicates that
+ // chunked encoding is being used but chunked encoding should
+ // not be used with a content length. RFC 2616, section 4.4,
+ // bullet 3 states Content-Length must be ignored in this case -
+ // so remove it.
+ headers.removeHeader("content-length");
+ request.setContentLength(-1);
+ } else {
+ inputBuffer.addActiveFilter(inputFilters[Constants.IDENTITY_FILTER]);
+ contentDelimitation = true;
+ }
}
MessageBytes valueMB = headers.getValue("host");
Property changes on:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11AprProcessor.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/coyote/http11/Http11AprProcessor.java:2323
Modified:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11NioProcessor.java
===================================================================
---
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11NioProcessor.java 2014-04-11
16:31:54 UTC (rev 2402)
+++
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11NioProcessor.java 2014-04-11
17:01:59 UTC (rev 2403)
@@ -1004,12 +1004,22 @@
}
}
- // Parse content-length header
- long contentLength = request.getContentLengthLong();
- if (contentLength >= 0 && !contentDelimitation) {
- inputBuffer.addActiveFilter(inputFilters[Constants.IDENTITY_FILTER]);
- contentDelimitation = true;
- }
+ // Parse content-length header
+ long contentLength = request.getContentLengthLong();
+ if (contentLength >= 0) {
+ if (contentDelimitation) {
+ // contentDelimitation being true at this point indicates that
+ // chunked encoding is being used but chunked encoding should
+ // not be used with a content length. RFC 2616, section 4.4,
+ // bullet 3 states Content-Length must be ignored in this case -
+ // so remove it.
+ headers.removeHeader("content-length");
+ request.setContentLength(-1);
+ } else {
+ inputBuffer.addActiveFilter(inputFilters[Constants.IDENTITY_FILTER]);
+ contentDelimitation = true;
+ }
+ }
MessageBytes valueMB = headers.getValue("host");
Property changes on:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11NioProcessor.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/coyote/http11/Http11NioProcessor.java:2323
Modified:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11Processor.java
===================================================================
---
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11Processor.java 2014-04-11
16:31:54 UTC (rev 2402)
+++
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11Processor.java 2014-04-11
17:01:59 UTC (rev 2403)
@@ -1328,10 +1328,19 @@
// Parse content-length header
long contentLength = request.getContentLengthLong();
- if (contentLength >= 0 && !contentDelimitation) {
- inputBuffer.addActiveFilter
- (inputFilters[Constants.IDENTITY_FILTER]);
- contentDelimitation = true;
+ if (contentLength >= 0) {
+ if (contentDelimitation) {
+ // contentDelimitation being true at this point indicates that
+ // chunked encoding is being used but chunked encoding should
+ // not be used with a content length. RFC 2616, section 4.4,
+ // bullet 3 states Content-Length must be ignored in this case -
+ // so remove it.
+ headers.removeHeader("content-length");
+ request.setContentLength(-1);
+ } else {
+ inputBuffer.addActiveFilter(inputFilters[Constants.IDENTITY_FILTER]);
+ contentDelimitation = true;
+ }
}
MessageBytes valueMB = headers.getValue("host");
Property changes on:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1086847/src/main/java/org/apache/coyote/http11/Http11Processor.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/coyote/http11/Http11Processor.java:2323