You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/08/02 15:31:11 UTC
[tomcat] branch 9.0.x updated: Address an edge case. Reject CRCRLF as a line terminator.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new d7554a832c Address an edge case. Reject CRCRLF as a line terminator.
d7554a832c is described below
commit d7554a832c03151bdf9896335fff3f97013ffee3
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Aug 2 16:30:51 2022 +0100
Address an edge case. Reject CRCRLF as a line terminator.
Review of CR handling for RFC 9112
---
java/org/apache/coyote/http11/Http11InputBuffer.java | 3 ++-
.../apache/coyote/http11/TestHttp11InputBufferCRLF.java | 16 +++++++++++++++-
webapps/docs/changelog.xml | 4 ++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java b/java/org/apache/coyote/http11/Http11InputBuffer.java
index fd7b75547f..da003c5e78 100644
--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -976,7 +976,8 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
prevChr = chr;
chr = byteBuffer.get();
- if (chr == Constants.CR) {
+ if (chr == Constants.CR && prevChr != Constants.CR) {
+ // CR is only permitted at the start of a CRLF sequence.
// Possible start of CRLF - process the next byte.
} else if (chr == Constants.LF) {
// CRLF or LF is an acceptable line terminator
diff --git a/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java b/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
index 2753c21071..c6e3d8593b 100644
--- a/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
+++ b/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
@@ -81,13 +81,21 @@ public class TestHttp11InputBufferCRLF extends TomcatBaseTest {
CRLF,
Boolean.FALSE, Boolean.FALSE, parameterSets);
- // Invalid HTTP/1.1 request
+ // Invalid (request target) HTTP/1.1 request
addRequestWithSplits("GET /te<st HTTP/1.1" + CRLF +
"Host: localhost:8080" + CRLF +
"Connection: close" + CRLF +
CRLF,
Boolean.FALSE, Boolean.FALSE, parameterSets);
+ // Invalid (use of CR) HTTP/1.1 request
+ addRequestWithSplits("GET /test HTTP/1.1" + CRLF +
+ "Host: localhost:8080" + CRLF +
+ "Connection: close" + CRLF +
+ "X-aaa: bbb" + CR + CRLF +
+ CRLF,
+ Boolean.FALSE, Boolean.FALSE, parameterSets);
+
// Standard HTTP/1.1 request with a query string
addRequestWithSplits("GET /test?a=b HTTP/1.1" + CRLF +
"Host: localhost:8080" + CRLF +
@@ -116,6 +124,12 @@ public class TestHttp11InputBufferCRLF extends TomcatBaseTest {
LF,
Boolean.FALSE, parameterSets);
+ // Invalid HTTP/1.1 request using CR rather than CRLF
+ addRequestWithSplits("GET /test HTTP/1.1" + CR +
+ "Host: localhost:8080" + CR +
+ "Connection: close" + CR +
+ CR,
+ Boolean.FALSE, Boolean.FALSE, parameterSets);
return parameterSets;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2c992f11a0..79c8eebf2e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -127,6 +127,10 @@
Avoid potential NPE by skipping duplicate accept check when using a Unix
Domain Socket. Based on <pr>532</pr> by Han Li. (markt)
</fix>
+ <fix>
+ Address an edge case in HTTP header parsing that allowed CRCRLF to be
+ used as a valid line terminator. (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org