Author: remy.maucherat(a)jboss.com
Date: 2014-02-06 08:31:30 -0500 (Thu, 06 Feb 2014)
New Revision: 2359
Modified:
branches/7.4.x/src/main/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
branches/7.4.x/src/main/java/org/jboss/web/FileUploadMessages.java
Log:
Port fix for minor security issue CVE-2014-0050 multipart DoS.
Modified:
branches/7.4.x/src/main/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java 2014-01-29
11:44:13 UTC (rev 2358)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java 2014-02-06
13:31:30 UTC (rev 2359)
@@ -795,7 +795,11 @@
notifier = new MultipartStream.ProgressNotifier(listener,
ctx.getContentLength());
- multi = new MultipartStream(input, boundary, notifier);
+ try {
+ multi = new MultipartStream(input, boundary, notifier);
+ } catch (IllegalArgumentException iae) {
+ throw new
InvalidContentTypeException(MESSAGES.invalidBoundary(CONTENT_TYPE), iae);
+ }
multi.setHeaderEncoding(charEncoding);
skipPreamble = true;
@@ -969,7 +973,7 @@
* detail message.
*/
public InvalidContentTypeException() {
- // Nothing to do.
+ super();
}
/**
@@ -981,6 +985,10 @@
public InvalidContentTypeException(String message) {
super(message);
}
+
+ public InvalidContentTypeException(String message, Exception cause) {
+ super(message, cause);
+ }
}
/**
Modified:
branches/7.4.x/src/main/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2014-01-29
11:44:13 UTC (rev 2358)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2014-02-06
13:31:30 UTC (rev 2359)
@@ -302,8 +302,11 @@
// We prepend CR/LF to the boundary to chop trailing CR/LF from
// body-data tokens.
- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+ if (bufSize < this.boundaryLength + 1) {
+ throw MESSAGES.multipartStreamBufferSizeTooSmall();
+ }
+ this.boundary = new byte[this.boundaryLength];
this.keepRegion = this.boundary.length;
System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
BOUNDARY_PREFIX.length);
Modified: branches/7.4.x/src/main/java/org/jboss/web/FileUploadMessages.java
===================================================================
--- branches/7.4.x/src/main/java/org/jboss/web/FileUploadMessages.java 2014-01-29 11:44:13
UTC (rev 2358)
+++ branches/7.4.x/src/main/java/org/jboss/web/FileUploadMessages.java 2014-02-06 13:31:30
UTC (rev 2359)
@@ -122,4 +122,10 @@
@Message(id = 8228, value = "Invalid file name: %s")
String invalidFileName(String fileName);
+ @Message(id = 8229, value = "The boundary specified in the %s header is too
long")
+ String invalidBoundary(String header);
+
+ @Message(id = 8230, value = "The buffer size specified for the MultipartStream
is too small")
+ IllegalArgumentException multipartStreamBufferSizeTooSmall();
+
}
Show replies by date