You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/02/06 12:21:08 UTC
svn commit: r1565169 - in /tomcat/tc7.0.x/trunk:
java/org/apache/tomcat/util/http/fileupload/
java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
webapps/docs/changelog.xml
Author: markt
Date: Thu Feb 6 11:21:07 2014
New Revision: 1565169
URL: http://svn.apache.org/r1565169
Log:
Fix CVE-2014-0050 DoS with malformed Content-Type header and multipart request processing.
Update to latest code (r1565163) from Commons FileUpload
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/
------------------------------------------------------------------------------
Merged /commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload:r1513135-1565163
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java?rev=1565169&r1=1565168&r2=1565169&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java Thu Feb 6 11:21:07 2014
@@ -803,7 +803,7 @@ public abstract class FileUploadBase {
|| (!contentType.toLowerCase(Locale.ENGLISH).startsWith(MULTIPART))) {
throw new InvalidContentTypeException(String.format(
"the request doesn't contain a %s or %s stream, content type header is %s",
- MULTIPART_FORM_DATA, MULTIPART_FORM_DATA, contentType));
+ MULTIPART_FORM_DATA, MULTIPART_MIXED, contentType));
}
InputStream input = ctx.getInputStream();
@@ -814,8 +814,7 @@ public abstract class FileUploadBase {
if (requestSize != -1 && requestSize > sizeMax) {
throw new SizeLimitExceededException(String.format(
"the request was rejected because its size (%s) exceeds the configured maximum (%s)",
- Long.valueOf(requestSize),
- Long.valueOf(sizeMax)),
+ Long.valueOf(requestSize), Long.valueOf(sizeMax)),
requestSize, sizeMax);
}
input = new LimitedInputStream(input, sizeMax) {
@@ -842,7 +841,13 @@ public abstract class FileUploadBase {
}
notifier = new MultipartStream.ProgressNotifier(listener, requestSize);
- multi = new MultipartStream(input, boundary, notifier);
+ try {
+ multi = new MultipartStream(input, boundary, notifier);
+ } catch (IllegalArgumentException iae) {
+ throw new InvalidContentTypeException(String.format(
+ "The boundary specified in the %s header is too long",
+ CONTENT_TYPE), iae);
+ }
multi.setHeaderEncoding(charEncoding);
skipPreamble = true;
@@ -1020,7 +1025,7 @@ public abstract class FileUploadBase {
* detail message.
*/
public InvalidContentTypeException() {
- // Nothing to do.
+ super();
}
/**
@@ -1033,6 +1038,9 @@ public abstract class FileUploadBase {
super(message);
}
+ public InvalidContentTypeException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
}
/**
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java?rev=1565169&r1=1565168&r2=1565169&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java Thu Feb 6 11:21:07 2014
@@ -276,8 +276,7 @@ public class MultipartStream {
* @param pNotifier The notifier, which is used for calling the
* progress listener, if any.
*
- * @see #MultipartStream(InputStream, byte[],
- * MultipartStream.ProgressNotifier)
+ * @throws IllegalArgumentException If the buffer size is too small
*/
public MultipartStream(InputStream input,
byte[] boundary,
@@ -290,9 +289,14 @@ public class MultipartStream {
// We prepend CR/LF to the boundary to chop trailing CR/LF from
// body-data tokens.
- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+ if (bufSize < this.boundaryLength + 1) {
+ throw new IllegalArgumentException(
+ "The buffer size specified for the MultipartStream is too small");
+ }
+ this.boundary = new byte[this.boundaryLength];
this.keepRegion = this.boundary.length;
+
System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
BOUNDARY_PREFIX.length);
System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length,
@@ -311,8 +315,7 @@ public class MultipartStream {
* @param pNotifier An object for calling the progress listener, if any.
*
*
- * @see #MultipartStream(InputStream, byte[], int,
- * MultipartStream.ProgressNotifier)
+ * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier)
*/
MultipartStream(InputStream input,
byte[] boundary,
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1565169&r1=1565168&r2=1565169&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Feb 6 11:21:07 2014
@@ -299,6 +299,11 @@
Remove svn keywords (such as $Id) from source files and documentation.
(kkolinko)
</scode>
+ <fix>
+ Fix CVE-2014-0050, a denial of service with a malicious, malformed
+ Content-Type header and multipart request processing. Fixed by merging
+ latest code (r1565163) from Commons FileUpload. (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org