You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by rz...@apache.org on 2023/10/11 07:11:18 UTC
[tomee] 04/04: TOMEE-4256 - Add patched classes from https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4 for CVE-2023-45648

This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a commit to branch tomee-9.x-cve-patches
in repository https://gitbox.apache.org/repos/asf/tomee.git

commit ee63aa4a754edc8347a5ac4950bc92f940a8206b
Author: Richard Zowalla <rz...@apache.org>
AuthorDate: Wed Oct 11 09:07:06 2023 +0200

    TOMEE-4256 - Add patched classes from https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4 for CVE-2023-45648
---
 .../java/org/apache/coyote/http11/Http11InputBuffer.java  |  2 +-
 .../apache/coyote/http11/filters/ChunkedInputFilter.java  | 15 ++++++++++++++-
 .../apache/coyote/http11/filters/LocalStrings.properties  |  2 ++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/Http11InputBuffer.java b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/Http11InputBuffer.java
index ddd7e2d1e2..385fbfefb0 100644
--- a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -989,7 +989,7 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
                     } else if (prevChr == Constants.CR) {
                         // Invalid value - also need to delete header
                         return skipLine(true);
-                    } else if (chr != Constants.HT && HttpParser.isControl(chr)) {
+                    } else if (HttpParser.isControl(chr) && chr != Constants.HT) {
                         // Invalid value - also need to delete header
                         return skipLine(true);
                     } else if (chr == Constants.SP || chr == Constants.HT) {
diff --git a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
index 586d070f4d..e2fdb0ae2e 100644
--- a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
+++ b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
@@ -30,6 +30,7 @@ import org.apache.coyote.http11.Constants;
 import org.apache.coyote.http11.InputFilter;
 import org.apache.tomcat.util.buf.ByteChunk;
 import org.apache.tomcat.util.buf.HexUtils;
+import org.apache.tomcat.util.http.parser.HttpParser;
 import org.apache.tomcat.util.net.ApplicationBufferHandler;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -444,6 +445,13 @@ public class ChunkedInputFilter implements InputFilter, ApplicationBufferHandler
 
     private boolean parseHeader() throws IOException {
 
+        /*
+         * Implementation note: Any changes to this method probably need to be echoed in
+         * Http11InputBuffer.parseHeader(). Why not use a common implementation? In short, this code uses blocking
+         * reads whereas Http11InputBuffer using non-blocking reads. The code is just different enough that a common
+         * implementation wasn't viewed as practical.
+         */
+
         Map<String,String> headers = request.getTrailerFields();
 
         byte chr = 0;
@@ -490,6 +498,9 @@ public class ChunkedInputFilter implements InputFilter, ApplicationBufferHandler
 
             if (chr == Constants.COLON) {
                 colon = true;
+            } else if (!HttpParser.isToken(chr)) {
+                // Non-token characters are illegal in header names
+                throw new IOException(sm.getString("chunkedInputFilter.invalidTrailerHeaderName"));
             } else {
                 trailingHeaders.append(chr);
             }
@@ -551,7 +562,9 @@ public class ChunkedInputFilter implements InputFilter, ApplicationBufferHandler
                 if (chr == Constants.CR || chr == Constants.LF) {
                     parseCRLF(true);
                     eol = true;
-                } else if (chr == Constants.SP) {
+                } else if (HttpParser.isControl(chr) && chr != Constants.HT) {
+                    throw new IOException(sm.getString("chunkedInputFilter.invalidTrailerHeaderValue"));
+                } else if (chr == Constants.SP || chr == Constants.HT) {
                     trailingHeaders.append(chr);
                 } else {
                     trailingHeaders.append(chr);
diff --git a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/LocalStrings.properties b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/LocalStrings.properties
index c0dc9d1b10..aa1b19d839 100644
--- a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/LocalStrings.properties
+++ b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/LocalStrings.properties
@@ -21,6 +21,8 @@ chunkedInputFilter.invalidCrlfCRCR=Invalid end of line sequence (CRCR)
 chunkedInputFilter.invalidCrlfNoCR=Invalid end of line sequence (No CR before LF)
 chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read)
 chunkedInputFilter.invalidHeader=Invalid chunk header
+chunkedInputFilter.invalidTrailerHeaderName=Invalid trailer header name (non-token character in name)
+chunkedInputFilter.invalidTrailerHeaderValue=Invalid trailer header value (control character in value)
 chunkedInputFilter.maxExtension=maxExtensionSize exceeded
 chunkedInputFilter.maxTrailer=maxTrailerSize exceeded