You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by rz...@apache.org on 2023/10/11 07:11:18 UTC
[tomee] 04/04: TOMEE-4256 - Add patched classes from https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4 for CVE-2023-45648
This is an automated email from the ASF dual-hosted git repository.
rzo1 pushed a commit to branch tomee-9.x-cve-patches
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit ee63aa4a754edc8347a5ac4950bc92f940a8206b
Author: Richard Zowalla <rz...@apache.org>
AuthorDate: Wed Oct 11 09:07:06 2023 +0200
TOMEE-4256 - Add patched classes from https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4 for CVE-2023-45648
---
.../java/org/apache/coyote/http11/Http11InputBuffer.java | 2 +-
.../apache/coyote/http11/filters/ChunkedInputFilter.java | 15 ++++++++++++++-
.../apache/coyote/http11/filters/LocalStrings.properties | 2 ++
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/Http11InputBuffer.java b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/Http11InputBuffer.java
index ddd7e2d1e2..385fbfefb0 100644
--- a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -989,7 +989,7 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
} else if (prevChr == Constants.CR) {
// Invalid value - also need to delete header
return skipLine(true);
- } else if (chr != Constants.HT && HttpParser.isControl(chr)) {
+ } else if (HttpParser.isControl(chr) && chr != Constants.HT) {
// Invalid value - also need to delete header
return skipLine(true);
} else if (chr == Constants.SP || chr == Constants.HT) {
diff --git a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
index 586d070f4d..e2fdb0ae2e 100644
--- a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
+++ b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
@@ -30,6 +30,7 @@ import org.apache.coyote.http11.Constants;
import org.apache.coyote.http11.InputFilter;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.HexUtils;
+import org.apache.tomcat.util.http.parser.HttpParser;
import org.apache.tomcat.util.net.ApplicationBufferHandler;
import org.apache.tomcat.util.res.StringManager;
@@ -444,6 +445,13 @@ public class ChunkedInputFilter implements InputFilter, ApplicationBufferHandler
private boolean parseHeader() throws IOException {
+ /*
+ * Implementation note: Any changes to this method probably need to be echoed in
+ * Http11InputBuffer.parseHeader(). Why not use a common implementation? In short, this code uses blocking
+ * reads whereas Http11InputBuffer using non-blocking reads. The code is just different enough that a common
+ * implementation wasn't viewed as practical.
+ */
+
Map<String,String> headers = request.getTrailerFields();
byte chr = 0;
@@ -490,6 +498,9 @@ public class ChunkedInputFilter implements InputFilter, ApplicationBufferHandler
if (chr == Constants.COLON) {
colon = true;
+ } else if (!HttpParser.isToken(chr)) {
+ // Non-token characters are illegal in header names
+ throw new IOException(sm.getString("chunkedInputFilter.invalidTrailerHeaderName"));
} else {
trailingHeaders.append(chr);
}
@@ -551,7 +562,9 @@ public class ChunkedInputFilter implements InputFilter, ApplicationBufferHandler
if (chr == Constants.CR || chr == Constants.LF) {
parseCRLF(true);
eol = true;
- } else if (chr == Constants.SP) {
+ } else if (HttpParser.isControl(chr) && chr != Constants.HT) {
+ throw new IOException(sm.getString("chunkedInputFilter.invalidTrailerHeaderValue"));
+ } else if (chr == Constants.SP || chr == Constants.HT) {
trailingHeaders.append(chr);
} else {
trailingHeaders.append(chr);
diff --git a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/LocalStrings.properties b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/LocalStrings.properties
index c0dc9d1b10..aa1b19d839 100644
--- a/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/LocalStrings.properties
+++ b/tomee/apache-tomee/src/patch/java/org/apache/coyote/http11/filters/LocalStrings.properties
@@ -21,6 +21,8 @@ chunkedInputFilter.invalidCrlfCRCR=Invalid end of line sequence (CRCR)
chunkedInputFilter.invalidCrlfNoCR=Invalid end of line sequence (No CR before LF)
chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read)
chunkedInputFilter.invalidHeader=Invalid chunk header
+chunkedInputFilter.invalidTrailerHeaderName=Invalid trailer header name (non-token character in name)
+chunkedInputFilter.invalidTrailerHeaderValue=Invalid trailer header value (control character in value)
chunkedInputFilter.maxExtension=maxExtensionSize exceeded
chunkedInputFilter.maxTrailer=maxTrailerSize exceeded