Author: bmaxwell Date: 2012-01-04 11:14:28 -0500 (Wed, 04 Jan 2012) New Revision: 1912 Modified: branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/build.properties.default branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/build.xml branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/java/org/apache/tomcat/util/http/MimeHeaders.java branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/java/org/apache/tomcat/util/http/Parameters.java Log: [JBPAPP-7837] JBWEB-209: CVE Fixes: 2011-2204, 2011-2729, 2011-1184, 2011-2526, 2011-4858 Modified: branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/build.properties.default =================================================================== --- branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/build.properties.default 2012-01-04 16:13:17 UTC (rev 1911) +++ branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/build.properties.default 2012-01-04 16:14:28 UTC (rev 1912) @@ -12,8 +12,8 @@ # ----- Version Control Flags ----- version.major=2 version.minor=1 -version.build=4 -version.patch=0 +version.build=11 +version.patch=JBPAPP-7837 version.tag=SNAPSHOT # ----- Default Base Path for Dependent Packages ----- Modified: branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/build.xml =================================================================== --- branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/build.xml 2012-01-04 16:13:17 UTC (rev 1911) +++ branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/build.xml 2012-01-04 16:14:28 UTC (rev 1912) @@ -17,7 +17,7 @@ <property name="version.major" value="2" /> <property name="version.minor" value="1" /> <property name="version.build" value="0" /> - <property name="version.patch" value="0" /> + <property name="version.patch" value="JBPAPP-7837" /> <property name="version.tag" value="SNAPSHOT" /> <property name="version" value="${version.major}.${version.minor}.${version.build}.${version.tag}" /> <property name="version.number" value="${version.major}.${version.minor}.${version.build}.${version.patch}" /> Modified: branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/java/org/apache/tomcat/util/http/MimeHeaders.java =================================================================== --- branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/java/org/apache/tomcat/util/http/MimeHeaders.java 2012-01-04 16:13:17 UTC (rev 1911) +++ branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/java/org/apache/tomcat/util/http/MimeHeaders.java 2012-01-04 16:14:28 UTC (rev 1912) @@ -23,9 +23,6 @@ import org.apache.tomcat.util.buf.MessageBytes; -/* XXX XXX XXX Need a major rewrite !!!! - */ - /** * This class is used to contain standard internet message headers, * used for SMTP (RFC822) and HTTP (RFC2068) messages as well as for @@ -77,12 +74,6 @@ * to avoid inside tomcat. The goal is to use _only_ MessageByte-based Fields, * and reduce to 0 the memory overhead of tomcat. * - * TODO: - * XXX one-buffer parsing - for http ( other protocols don't need that ) - * XXX remove unused methods - * XXX External enumerations, with 0 GC. - * XXX use HeaderName ID - * * * @author dac(a)eng.sun.com * @author James Todd [gonzo(a)eng.sun.com] @@ -212,9 +203,10 @@ } /** Initial size - should be == average number of headers per request - * XXX make it configurable ( fine-tuning of web-apps ) */ public static final int DEFAULT_HEADER_SIZE = 8; + protected static final int MAX_COUNT = + Integer.valueOf(System.getProperty("org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT", "128")).intValue(); /** * The header fields. @@ -333,6 +325,9 @@ MimeHeaderField mh; int len = headers.length; if (count >= len) { + if (count >= MAX_COUNT) { + throw new IllegalStateException("Header count exceeded allowed maximum: " + MAX_COUNT); + } // expand header list array MimeHeaderField tmp[] = new MimeHeaderField[count * 2]; System.arraycopy(headers, 0, tmp, 0, len); @@ -441,9 +436,7 @@ * @param name the name of the header field to be removed */ public void removeHeader(String name) { - // XXX // warning: rather sticky code; heavily tuned - for (int i = 0; i < count; i++) { if (headers[i].getName().equalsIgnoreCase(name)) { removeHeader(i--); Modified: branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/java/org/apache/tomcat/util/http/Parameters.java =================================================================== --- branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/java/org/apache/tomcat/util/http/Parameters.java 2012-01-04 16:13:17 UTC (rev 1911) +++ branches/JBOSSWEB_2_1_11_GA_JBPAPP-7837/java/org/apache/tomcat/util/http/Parameters.java 2012-01-04 16:14:28 UTC (rev 1912) @@ -40,6 +40,8 @@ protected static final int LAST = -1; public static final int INITIAL_SIZE = 8; protected static final String[] ARRAY_TYPE = new String[0]; + protected static final int MAX_COUNT = + Integer.valueOf(System.getProperty("org.apache.tomcat.util.http.Parameters.MAX_COUNT", "512")).intValue(); protected class Field { MessageBytes name = MessageBytes.newInstance(); @@ -212,6 +214,9 @@ int len = fields.length; int pos = count; if (count >= len) { + if (count >= MAX_COUNT) { + throw new IllegalStateException("Parameter count exceeded allowed maximum: " + MAX_COUNT); + } // expand header list array Field tmp[] = new Field[pos * 2]; System.arraycopy(fields, 0, tmp, 0, len);