You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/08/02 15:31:55 UTC
[tomcat] branch 8.5.x updated: Address an edge case. Reject CRCRLF as a line terminator.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 9fa4b92e04 Address an edge case. Reject CRCRLF as a line terminator.
9fa4b92e04 is described below
commit 9fa4b92e045ab77536e18eb153d4582352ce5d42
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Aug 2 16:30:51 2022 +0100
Address an edge case. Reject CRCRLF as a line terminator.
Review of CR handling for RFC 9112
---
java/org/apache/coyote/http11/Http11InputBuffer.java | 3 ++-
.../apache/coyote/http11/TestHttp11InputBufferCRLF.java | 16 +++++++++++++++-
webapps/docs/changelog.xml | 4 ++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java b/java/org/apache/coyote/http11/Http11InputBuffer.java
index e66dc4c210..20bc3816bd 100644
--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -976,7 +976,8 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
prevChr = chr;
chr = byteBuffer.get();
- if (chr == Constants.CR) {
+ if (chr == Constants.CR && prevChr != Constants.CR) {
+ // CR is only permitted at the start of a CRLF sequence.
// Possible start of CRLF - process the next byte.
} else if (chr == Constants.LF) {
// CRLF or LF is an acceptable line terminator
diff --git a/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java b/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
index 2753c21071..c6e3d8593b 100644
--- a/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
+++ b/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
@@ -81,13 +81,21 @@ public class TestHttp11InputBufferCRLF extends TomcatBaseTest {
CRLF,
Boolean.FALSE, Boolean.FALSE, parameterSets);
- // Invalid HTTP/1.1 request
+ // Invalid (request target) HTTP/1.1 request
addRequestWithSplits("GET /te<st HTTP/1.1" + CRLF +
"Host: localhost:8080" + CRLF +
"Connection: close" + CRLF +
CRLF,
Boolean.FALSE, Boolean.FALSE, parameterSets);
+ // Invalid (use of CR) HTTP/1.1 request
+ addRequestWithSplits("GET /test HTTP/1.1" + CRLF +
+ "Host: localhost:8080" + CRLF +
+ "Connection: close" + CRLF +
+ "X-aaa: bbb" + CR + CRLF +
+ CRLF,
+ Boolean.FALSE, Boolean.FALSE, parameterSets);
+
// Standard HTTP/1.1 request with a query string
addRequestWithSplits("GET /test?a=b HTTP/1.1" + CRLF +
"Host: localhost:8080" + CRLF +
@@ -116,6 +124,12 @@ public class TestHttp11InputBufferCRLF extends TomcatBaseTest {
LF,
Boolean.FALSE, parameterSets);
+ // Invalid HTTP/1.1 request using CR rather than CRLF
+ addRequestWithSplits("GET /test HTTP/1.1" + CR +
+ "Host: localhost:8080" + CR +
+ "Connection: close" + CR +
+ CR,
+ Boolean.FALSE, Boolean.FALSE, parameterSets);
return parameterSets;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b1e2777186..f716dbcd93 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -130,6 +130,10 @@
using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
(markt)
</add>
+ <fix>
+ Address an edge case in HTTP header parsing that allowed CRCRLF to be
+ used as a valid line terminator. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org