Author: jfrederic.clere(a)jboss.com Date: 2011-12-21 07:52:17 -0500 (Wed, 21 Dec 2011) New Revision: 1902 Modified: branches/2.1.x/java/org/apache/tomcat/util/http/MimeHeaders.java branches/2.1.x/java/org/apache/tomcat/util/http/Parameters.java branches/2.1.x/webapps/docs/changelog.xml Log: Port r1858 from trunk. Modified: branches/2.1.x/java/org/apache/tomcat/util/http/MimeHeaders.java =================================================================== --- branches/2.1.x/java/org/apache/tomcat/util/http/MimeHeaders.java 2011-12-21 09:03:03 UTC (rev 1901) +++ branches/2.1.x/java/org/apache/tomcat/util/http/MimeHeaders.java 2011-12-21 12:52:17 UTC (rev 1902) @@ -23,9 +23,6 @@ import org.apache.tomcat.util.buf.MessageBytes; -/* XXX XXX XXX Need a major rewrite !!!! - */ - /** * This class is used to contain standard internet message headers, * used for SMTP (RFC822) and HTTP (RFC2068) messages as well as for @@ -77,12 +74,6 @@ * to avoid inside tomcat. The goal is to use _only_ MessageByte-based Fields, * and reduce to 0 the memory overhead of tomcat. * - * TODO: - * XXX one-buffer parsing - for http ( other protocols don't need that ) - * XXX remove unused methods - * XXX External enumerations, with 0 GC. - * XXX use HeaderName ID - * * * @author dac(a)eng.sun.com * @author James Todd [gonzo(a)eng.sun.com] @@ -212,9 +203,10 @@ } /** Initial size - should be == average number of headers per request - * XXX make it configurable ( fine-tuning of web-apps ) */ public static final int DEFAULT_HEADER_SIZE = 8; + protected static final int MAX_COUNT = + Integer.valueOf(System.getProperty("org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT", "128")).intValue(); /** * The header fields. @@ -333,6 +325,9 @@ MimeHeaderField mh; int len = headers.length; if (count >= len) { + if (count >= MAX_COUNT) { + throw new IllegalStateException("Header count exceeded allowed maximum: " + MAX_COUNT); + } // expand header list array MimeHeaderField tmp[] = new MimeHeaderField[count * 2]; System.arraycopy(headers, 0, tmp, 0, len); @@ -441,9 +436,7 @@ * @param name the name of the header field to be removed */ public void removeHeader(String name) { - // XXX // warning: rather sticky code; heavily tuned - for (int i = 0; i < count; i++) { if (headers[i].getName().equalsIgnoreCase(name)) { removeHeader(i--); Modified: branches/2.1.x/java/org/apache/tomcat/util/http/Parameters.java =================================================================== --- branches/2.1.x/java/org/apache/tomcat/util/http/Parameters.java 2011-12-21 09:03:03 UTC (rev 1901) +++ branches/2.1.x/java/org/apache/tomcat/util/http/Parameters.java 2011-12-21 12:52:17 UTC (rev 1902) @@ -40,6 +40,8 @@ protected static final int LAST = -1; public static final int INITIAL_SIZE = 8; protected static final String[] ARRAY_TYPE = new String[0]; + protected static final int MAX_COUNT = + Integer.valueOf(System.getProperty("org.apache.tomcat.util.http.Parameters.MAX_COUNT", "512")).intValue(); protected class Field { MessageBytes name = MessageBytes.newInstance(); @@ -212,6 +214,9 @@ int len = fields.length; int pos = count; if (count >= len) { + if (count >= MAX_COUNT) { + throw new IllegalStateException("Parameter count exceeded allowed maximum: " + MAX_COUNT); + } // expand header list array Field tmp[] = new Field[pos * 2]; System.arraycopy(fields, 0, tmp, 0, len); Modified: branches/2.1.x/webapps/docs/changelog.xml =================================================================== --- branches/2.1.x/webapps/docs/changelog.xml 2011-12-21 09:03:03 UTC (rev 1901) +++ branches/2.1.x/webapps/docs/changelog.xml 2011-12-21 12:52:17 UTC (rev 1902) @@ -28,6 +28,10 @@ <fix> <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection. (markt) </fix> + <fix> + Add system properties which restrict parameter count (org.apache.tomcat.util.http.Parameters.MAX_COUNT + default to 512) and header count (org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT to 128). (remm) + </fix> </changelog> </subsection> <subsection name="Jasper">