JBossWeb SVN: r2505 - in branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java: org/apache/catalina/security and 8 other directories.
4:30 p.m.
Author: aogburn
Date: 2014-09-04 17:30:47 -0400 (Thu, 04 Sep 2014)
New Revision: 2505
Modified:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/catalina/security/SecurityClassLoad.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/catalina/servlets/DefaultServlet.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpAprProcessor.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpProcessor.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11AprProcessor.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11Processor.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/jasper/compiler/JspDocumentParser.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/buf/Ascii.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/net/JIoEndpoint.java
Log:
[JBPAPP-11181] merge fix for CVE-2013-4286
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/2.1.x/java:2480-2482
+ /branches/2.1.x/java:2394,2480-2482
Property changes on:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/catalina/security/SecurityClassLoad.java
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java:2460
+
/branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java:2394,2480-2482
/branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java:2460
Property changes on:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/catalina/servlets/DefaultServlet.java
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/catalina/servlets/DefaultServlet.java:2427
+ /branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java:2394,2480-2482
/branches/7.4.x/src/main/java/org/apache/catalina/servlets/DefaultServlet.java:2427
Modified:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpAprProcessor.java
===================================================================
---
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpAprProcessor.java 2014-09-04
20:50:30 UTC (rev 2504)
+++
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpAprProcessor.java 2014-09-04
21:30:47 UTC (rev 2505)
@@ -25,6 +25,8 @@
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.coyote.ActionCode;
import org.apache.coyote.ActionHook;
import org.apache.coyote.Adapter;
@@ -654,6 +656,7 @@
// Decode headers
MimeHeaders headers = request.getMimeHeaders();
+ boolean contentLengthSet = false;
int hCount = requestHeaderMessage.getInt();
for(int i = 0 ; i < hCount ; i++) {
String hName = null;
@@ -689,7 +692,16 @@
if (hId == Constants.SC_REQ_CONTENT_LENGTH ||
(hId == -1 &&
tmpMB.equalsIgnoreCase("Content-Length"))) {
// just read the content-length header, so set it
- request.setContentLength( vMB.getInt() );
+ long cl = vMB.getLong();
+ if (contentLengthSet) {
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ error = true;
+ } else {
+ contentLengthSet = true;
+ // Set the content-length header for the request
+ if(cl < Integer.MAX_VALUE)
+ request.setContentLength( (int)cl );
+ }
} else if (hId == Constants.SC_REQ_CONTENT_TYPE ||
(hId == -1 &&
tmpMB.equalsIgnoreCase("Content-Type"))) {
// just read the content-type header, so set it
Modified:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpProcessor.java
===================================================================
---
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpProcessor.java 2014-09-04
20:50:30 UTC (rev 2504)
+++
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/ajp/AjpProcessor.java 2014-09-04
21:30:47 UTC (rev 2505)
@@ -27,6 +27,8 @@
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.coyote.ActionCode;
import org.apache.coyote.ActionHook;
import org.apache.coyote.Adapter;
@@ -659,6 +661,7 @@
// Decode headers
MimeHeaders headers = request.getMimeHeaders();
+ boolean contentLengthSet = false;
int hCount = requestHeaderMessage.getInt();
for(int i = 0 ; i < hCount ; i++) {
String hName = null;
@@ -694,7 +697,16 @@
if (hId == Constants.SC_REQ_CONTENT_LENGTH ||
(hId == -1 &&
tmpMB.equalsIgnoreCase("Content-Length"))) {
// just read the content-length header, so set it
- request.setContentLength( vMB.getInt() );
+ long cl = vMB.getLong();
+ if (contentLengthSet) {
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ error = true;
+ } else {
+ contentLengthSet = true;
+ // Set the content-length header for the request
+ if(cl < Integer.MAX_VALUE)
+ request.setContentLength( (int)cl );
+ }
} else if (hId == Constants.SC_REQ_CONTENT_TYPE ||
(hId == -1 &&
tmpMB.equalsIgnoreCase("Content-Type"))) {
// just read the content-type header, so set it
Modified:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
---
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11AprProcessor.java 2014-09-04
20:50:30 UTC (rev 2504)
+++
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11AprProcessor.java 2014-09-04
21:30:47 UTC (rev 2505)
@@ -1469,10 +1469,20 @@
// Parse content-length header
long contentLength = request.getContentLengthLong();
- if (contentLength >= 0 && !contentDelimitation) {
- inputBuffer.addActiveFilter
+ if (contentLength >= 0) {
+ if (contentDelimitation) {
+ // contentDelimitation being true at this point indicates that
+ // chunked encoding is being used but chunked encoding should
+ // not be used with a content length. RFC 2616, section 4.4,
+ // bullet 3 states Content-Length must be ignored in this case -
+ // so remove it.
+ headers.removeHeader("content-length");
+ request.setContentLength(-1);
+ } else {
+ inputBuffer.addActiveFilter
(inputFilters[Constants.IDENTITY_FILTER]);
- contentDelimitation = true;
+ contentDelimitation = true;
+ }
}
MessageBytes valueMB = headers.getValue("host");
Modified:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11Processor.java
===================================================================
---
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11Processor.java 2014-09-04
20:50:30 UTC (rev 2504)
+++
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/Http11Processor.java 2014-09-04
21:30:47 UTC (rev 2505)
@@ -1273,10 +1273,20 @@
// Parse content-length header
long contentLength = request.getContentLengthLong();
- if (contentLength >= 0 && !contentDelimitation) {
- inputBuffer.addActiveFilter
+ if (contentLength >= 0) {
+ if (contentDelimitation) {
+ // contentDelimitation being true at this point indicates that
+ // chunked encoding is being used but chunked encoding should
+ // not be used with a content length. RFC 2616, section 4.4,
+ // bullet 3 states Content-Length must be ignored in this case -
+ // so remove it.
+ headers.removeHeader("content-length");
+ request.setContentLength(-1);
+ } else {
+ inputBuffer.addActiveFilter
(inputFilters[Constants.IDENTITY_FILTER]);
- contentDelimitation = true;
+ contentDelimitation = true;
+ }
}
MessageBytes valueMB = headers.getValue("host");
Property changes on:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
___________________________________________________________________
Modified: svn:mergeinfo
-
/branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2428
+
/branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2394,2480-2482
/branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2428
Property changes on:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/jasper/compiler/JspDocumentParser.java
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java:2427
+
/branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java:2394,2480-2482
/branches/7.4.x/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java:2427
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/2.1.x/java/org/apache/tomcat/util:2480-2482
/branches/7.4.x/src/main/java/org/apache/tomcat/util:2427
+ /branches/2.1.x/java/org/apache/tomcat/util:2394,2480-2482
/branches/7.4.x/src/main/java/org/apache/tomcat/util:2427
Property changes on:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/buf/Ascii.java
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java:2426-2427
+ /branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java:2394,2480-2482
/branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java:2426-2427
Property changes on:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11181/java/org/apache/tomcat/util/net/JIoEndpoint.java
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/7.4.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2427
+ /branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java:2394
/branches/7.4.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2427
4145
days inactive
4145
days old
jbossweb-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
jbossweb-commits@lists.jboss.org