You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/02/06 12:21:08 UTC

svn commit: r1565169 - in /tomcat/tc7.0.x/trunk: java/org/apache/tomcat/util/http/fileupload/ java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java java/org/apache/tomcat/util/http/fileupload/MultipartStream.java webapps/docs/changelog.xml

Author: markt
Date: Thu Feb  6 11:21:07 2014
New Revision: 1565169

URL: http://svn.apache.org/r1565169
Log:
Fix CVE-2014-0050 DoS with malformed Content-Type header and multipart request processing.
Update to latest code (r1565163) from Commons FileUpload

Modified:
    tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
    tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/
------------------------------------------------------------------------------
  Merged /commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload:r1513135-1565163

Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java?rev=1565169&r1=1565168&r2=1565169&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java Thu Feb  6 11:21:07 2014
@@ -803,7 +803,7 @@ public abstract class FileUploadBase {
                     || (!contentType.toLowerCase(Locale.ENGLISH).startsWith(MULTIPART))) {
                 throw new InvalidContentTypeException(String.format(
                         "the request doesn't contain a %s or %s stream, content type header is %s",
-                        MULTIPART_FORM_DATA, MULTIPART_FORM_DATA, contentType));
+                        MULTIPART_FORM_DATA, MULTIPART_MIXED, contentType));
             }
 
             InputStream input = ctx.getInputStream();
@@ -814,8 +814,7 @@ public abstract class FileUploadBase {
                 if (requestSize != -1 && requestSize > sizeMax) {
                     throw new SizeLimitExceededException(String.format(
                             "the request was rejected because its size (%s) exceeds the configured maximum (%s)",
-                            Long.valueOf(requestSize),
-                            Long.valueOf(sizeMax)),
+                            Long.valueOf(requestSize), Long.valueOf(sizeMax)),
                             requestSize, sizeMax);
                 }
                 input = new LimitedInputStream(input, sizeMax) {
@@ -842,7 +841,13 @@ public abstract class FileUploadBase {
             }
 
             notifier = new MultipartStream.ProgressNotifier(listener, requestSize);
-            multi = new MultipartStream(input, boundary, notifier);
+            try {
+                multi = new MultipartStream(input, boundary, notifier);
+            } catch (IllegalArgumentException iae) {
+                throw new InvalidContentTypeException(String.format(
+                        "The boundary specified in the %s header is too long",
+                        CONTENT_TYPE), iae);
+            }
             multi.setHeaderEncoding(charEncoding);
 
             skipPreamble = true;
@@ -1020,7 +1025,7 @@ public abstract class FileUploadBase {
          * detail message.
          */
         public InvalidContentTypeException() {
-            // Nothing to do.
+            super();
         }
 
         /**
@@ -1033,6 +1038,9 @@ public abstract class FileUploadBase {
             super(message);
         }
 
+        public InvalidContentTypeException(String msg, Throwable cause) {
+            super(msg, cause);
+        }
     }
 
     /**

Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java?rev=1565169&r1=1565168&r2=1565169&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java Thu Feb  6 11:21:07 2014
@@ -276,8 +276,7 @@ public class MultipartStream {
      * @param pNotifier The notifier, which is used for calling the
      *                  progress listener, if any.
      *
-     * @see #MultipartStream(InputStream, byte[],
-     *     MultipartStream.ProgressNotifier)
+     * @throws IllegalArgumentException If the buffer size is too small
      */
     public MultipartStream(InputStream input,
             byte[] boundary,
@@ -290,9 +289,14 @@ public class MultipartStream {
 
         // We prepend CR/LF to the boundary to chop trailing CR/LF from
         // body-data tokens.
-        this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
         this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+        if (bufSize < this.boundaryLength + 1) {
+            throw new IllegalArgumentException(
+                    "The buffer size specified for the MultipartStream is too small");
+        }
+        this.boundary = new byte[this.boundaryLength];
         this.keepRegion = this.boundary.length;
+
         System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
                 BOUNDARY_PREFIX.length);
         System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length,
@@ -311,8 +315,7 @@ public class MultipartStream {
      * @param pNotifier An object for calling the progress listener, if any.
      *
      *
-     * @see #MultipartStream(InputStream, byte[], int,
-     *     MultipartStream.ProgressNotifier)
+     * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier)
      */
     MultipartStream(InputStream input,
             byte[] boundary,

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1565169&r1=1565168&r2=1565169&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Feb  6 11:21:07 2014
@@ -299,6 +299,11 @@
         Remove svn keywords (such as $Id) from source files and documentation.
         (kkolinko)
       </scode>
+      <fix>
+        Fix CVE-2014-0050, a denial of service with a malicious, malformed
+        Content-Type header and multipart request processing. Fixed by merging
+        latest code (r1565163) from Commons FileUpload. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org