You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/05/17 16:12:19 UTC
[tomcat] branch 7.0.x updated: Ensure that the entire global XSLT
file is read if one is defined.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new bbf76e4 Ensure that the entire global XSLT file is read if one is defined.
bbf76e4 is described below
commit bbf76e4c301197cd0c12299cf495d988283616f9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri May 17 17:03:56 2019 +0100
Ensure that the entire global XSLT file is read if one is defined.
Identified by Coverity Scan.
---
.../apache/catalina/servlets/DefaultServlet.java | 29 +++++++++++++---------
java/org/apache/catalina/util/IOTools.java | 20 +++++++++++++++
webapps/docs/changelog.xml | 4 +++
3 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
index 02e4e9e..16ba71d 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -68,6 +68,7 @@ import javax.xml.transform.stream.StreamSource;
import org.apache.catalina.Globals;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.connector.ResponseFacade;
+import org.apache.catalina.util.IOTools;
import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.ServerInfo;
import org.apache.catalina.util.URLEncoder;
@@ -1745,17 +1746,22 @@ public class DefaultServlet
File f = validateGlobalXsltFile();
if (f != null){
FileInputStream fis = null;
- try {
- fis = new FileInputStream(f);
- byte b[] = new byte[(int)f.length()]; /* danger! */
- fis.read(b);
- return new StreamSource(new ByteArrayInputStream(b));
- } finally {
- if (fis != null) {
- try {
- fis.close();
- } catch (IOException ioe) {
- // Ignore
+ long globalXsltFileSize = f.length();
+ if (globalXsltFileSize > Integer.MAX_VALUE) {
+ log("globalXsltFile [" + f.getAbsolutePath() + "] is too big to buffer");
+ } else {
+ try {
+ fis = new FileInputStream(f);
+ byte b[] = new byte[(int)f.length()];
+ IOTools.readFully(fis, b);
+ return new StreamSource(new ByteArrayInputStream(b));
+ } finally {
+ if (fis != null) {
+ try {
+ fis.close();
+ } catch (IOException ioe) {
+ // Ignore
+ }
}
}
}
@@ -1763,7 +1769,6 @@ public class DefaultServlet
}
return null;
-
}
diff --git a/java/org/apache/catalina/util/IOTools.java b/java/org/apache/catalina/util/IOTools.java
index 77090dd..d7ae3bb 100644
--- a/java/org/apache/catalina/util/IOTools.java
+++ b/java/org/apache/catalina/util/IOTools.java
@@ -86,4 +86,24 @@ public class IOTools {
byte[] buf = new byte[DEFAULT_BUFFER_SIZE];
flow( is, os, buf );
}
+
+
+ /**
+ * Read until EOF or the buffer is filled.
+ *
+ * @param is The source to read from
+ * @param buf The buffer to write to
+ *
+ * @return The number of bytes read
+ *
+ * @throws IOException If an I/O error occurs during the read
+ */
+ public static int readFully(InputStream is, byte[] buf) throws IOException {
+ int bytesRead = 0;
+ int read;
+ while (bytesRead < buf.length && ((read = is.read(buf, bytesRead, buf.length - bytesRead)) >= 0)) {
+ bytesRead += read;
+ }
+ return bytesRead;
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3a4eafd..50b4a15 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -100,6 +100,10 @@
serialization with mem-cached. Patch provided by Martin Lemanski.
(markt)
</fix>
+ <fix>
+ Ensure that the default servlet reads the entire global XSLT file if
+ one is defined. Identified by Coverity Scan. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org