You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/01/03 12:53:30 UTC
[tomcat] branch main updated (b364efe99e -> e529969d15)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from b364efe99e Fix BZ 63390 - Fix test on Solaris.
new 063e2e81ed Update packaged renamed fork of Commons File Upload
new a6fed7ace3 Update package renamed fork of Commons BCEL
new e529969d15 Update package renamed fork of Commons Codec
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
MERGE.txt | 6 ++--
java/org/apache/catalina/connector/Request.java | 10 +++++-
.../tomcat/util/bcel/classfile/ConstantPool.java | 18 +++++++----
.../tomcat/util/codec/binary/BaseNCodec.java | 5 +--
java/org/apache/tomcat/util/http/Parameters.java | 5 +++
.../util/http/fileupload/FileUploadBase.java | 29 +++++++++++++++++
...n.java => FileCountLimitExceededException.java} | 37 +++++++++++++---------
webapps/docs/changelog.xml | 12 +++++++
webapps/docs/config/ajp.xml | 15 +++++----
webapps/docs/config/http.xml | 15 +++++----
10 files changed, 112 insertions(+), 40 deletions(-)
copy java/org/apache/tomcat/util/http/fileupload/impl/{SizeLimitExceededException.java => FileCountLimitExceededException.java} (54%)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/03: Update packaged renamed fork of Commons File Upload
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 063e2e81ede50c287f737cc8e2915ce7217e886e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Dec 13 17:55:34 2022 +0000
Update packaged renamed fork of Commons File Upload
---
MERGE.txt | 2 +-
java/org/apache/catalina/connector/Request.java | 10 ++++-
java/org/apache/tomcat/util/http/Parameters.java | 5 +++
.../util/http/fileupload/FileUploadBase.java | 29 +++++++++++++
.../impl/FileCountLimitExceededException.java | 50 ++++++++++++++++++++++
webapps/docs/changelog.xml | 4 ++
webapps/docs/config/ajp.xml | 15 ++++---
webapps/docs/config/http.xml | 15 ++++---
8 files changed, 116 insertions(+), 14 deletions(-)
diff --git a/MERGE.txt b/MERGE.txt
index 8c1ed33662..41646180c2 100644
--- a/MERGE.txt
+++ b/MERGE.txt
@@ -54,7 +54,7 @@ Unused code is removed
Sub-tree:
src/main/java/org/apache/commons/fileupload2
The SHA1 ID / tag for the most recent commit to be merged to Tomcat is:
-aa8eff6f04c939fd99834360415b1ddb2f637cb1 (2022-11-29)
+34eb241c051b02eca3b0b1b04f67b3b4e6c3a24d (2023-02-03)
Note: Tomcat's copy of fileupload also includes classes copied manually from
Commons IO.
diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index ecfc7aaa16..340d775b15 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2816,8 +2816,9 @@ public class Request implements HttpServletRequest {
}
}
+ int maxParameterCount = getConnector().getMaxParameterCount();
Parameters parameters = coyoteRequest.getParameters();
- parameters.setLimit(getConnector().getMaxParameterCount());
+ parameters.setLimit(maxParameterCount);
boolean success = false;
try {
@@ -2869,6 +2870,13 @@ public class Request implements HttpServletRequest {
upload.setFileItemFactory(factory);
upload.setFileSizeMax(mce.getMaxFileSize());
upload.setSizeMax(mce.getMaxRequestSize());
+ if (maxParameterCount > -1) {
+ // There is a limit. The limit for parts needs to be reduced by
+ // the number of parameters we have already parsed.
+ // Must be under the limit else parsing parameters would have
+ // triggered an exception.
+ upload.setFileCountMax(maxParameterCount - parameters.size());
+ }
parts = new ArrayList<>();
try {
diff --git a/java/org/apache/tomcat/util/http/Parameters.java b/java/org/apache/tomcat/util/http/Parameters.java
index ce765374e7..d233190ddb 100644
--- a/java/org/apache/tomcat/util/http/Parameters.java
+++ b/java/org/apache/tomcat/util/http/Parameters.java
@@ -125,6 +125,11 @@ public final class Parameters {
}
+ public int size() {
+ return parameterCount;
+ }
+
+
public void recycle() {
parameterCount = 0;
paramHashValues.clear();
diff --git a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
index acc4aa307f..d527313723 100644
--- a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
+++ b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
@@ -24,6 +24,7 @@ import java.util.Locale;
import java.util.Map;
import java.util.Objects;
+import org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException;
import org.apache.tomcat.util.http.fileupload.impl.FileItemIteratorImpl;
import org.apache.tomcat.util.http.fileupload.impl.FileUploadIOException;
import org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException;
@@ -103,6 +104,12 @@ public abstract class FileUploadBase {
*/
private long fileSizeMax = -1;
+ /**
+ * The maximum permitted number of files that may be uploaded in a single
+ * request. A value of -1 indicates no maximum.
+ */
+ private long fileCountMax = -1;
+
/**
* The content encoding to use when reading part headers.
*/
@@ -179,6 +186,24 @@ public abstract class FileUploadBase {
this.fileSizeMax = fileSizeMax;
}
+ /**
+ * Returns the maximum number of files allowed in a single request.
+ *
+ * @return The maximum number of files allowed in a single request.
+ */
+ public long getFileCountMax() {
+ return fileCountMax;
+ }
+
+ /**
+ * Sets the maximum number of files allowed per request/
+ *
+ * @param fileCountMax The new limit. {@code -1} means no limit.
+ */
+ public void setFileCountMax(long fileCountMax) {
+ this.fileCountMax = fileCountMax;
+ }
+
/**
* Retrieves the character encoding used when reading the headers of an
* individual part. When not specified, or {@code null}, the request
@@ -253,6 +278,10 @@ public abstract class FileUploadBase {
"No FileItemFactory has been set.");
final byte[] buffer = new byte[Streams.DEFAULT_BUFFER_SIZE];
while (iter.hasNext()) {
+ if (items.size() == fileCountMax) {
+ // The next item will exceed the limit.
+ throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax());
+ }
final FileItemStream item = iter.next();
// Don't use getName() here to prevent an InvalidFileNameException.
final String fileName = item.getName();
diff --git a/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java b/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
new file mode 100644
index 0000000000..958f681276
--- /dev/null
+++ b/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.http.fileupload.impl;
+
+import org.apache.tomcat.util.http.fileupload.FileUploadException;
+
+/**
+ * This exception is thrown if a request contains more files than the specified
+ * limit.
+ */
+public class FileCountLimitExceededException extends FileUploadException {
+
+ private static final long serialVersionUID = 2408766352570556046L;
+
+ private final long limit;
+
+ /**
+ * Creates a new instance.
+ *
+ * @param message The detail message
+ * @param limit The limit that was exceeded
+ */
+ public FileCountLimitExceededException(final String message, final long limit) {
+ super(message);
+ this.limit = limit;
+ }
+
+ /**
+ * Retrieves the limit that was exceeded.
+ *
+ * @return The limit that was exceeded by the request
+ */
+ public long getLimit() {
+ return limit;
+ }
+}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index db6edb18cf..43facab6e9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -163,6 +163,10 @@
Update the packaged version of the Apache Tomcat Migration Tool for
Jakarta EE to 1.0.6. (markt)
</update>
+ <update>
+ Update the internal fork of Apache Commons FileUpload to 34eb241
+ (2023-01-03, 2.0-SNAPSHOT). (markt)
+ </update>
</changelog>
</subsection>
</section>
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 0a3a260bf3..f4de8b0171 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -149,12 +149,15 @@
</attribute>
<attribute name="maxParameterCount" required="false">
- <p>The maximum number of parameter and value pairs (GET plus POST) which
- will be automatically parsed by the container. Parameter and value pairs
- beyond this limit will be ignored. A value of less than 0 means no limit.
- If not specified, a default of 10000 is used. Note that
- <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
- used to reject requests that hit the limit.</p>
+ <p>The maximum total number of request parameters (including uploaded
+ files) obtained from the query string and, for POST requests, the request
+ body if the content type is
+ <code>application/x-www-form-urlencoded</code> or
+ <code>multipart/form-data</code>. Request parameters beyond this limit
+ will be ignored. A value of less than 0 means no limit. If not specified,
+ a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to reject requests that
+ exceed the limit.</p>
</attribute>
<attribute name="maxPostSize" required="false">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 40afbfb8fd..17271cf979 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -145,12 +145,15 @@
</attribute>
<attribute name="maxParameterCount" required="false">
- <p>The maximum number of parameter and value pairs (GET plus POST) which
- will be automatically parsed by the container. Parameter and value pairs
- beyond this limit will be ignored. A value of less than 0 means no limit.
- If not specified, a default of 10000 is used. Note that
- <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
- used to reject requests that hit the limit.</p>
+ <p>The maximum total number of request parameters (including uploaded
+ files) obtained from the query string and, for POST requests, the request
+ body if the content type is
+ <code>application/x-www-form-urlencoded</code> or
+ <code>multipart/form-data</code>. Request parameters beyond this limit
+ will be ignored. A value of less than 0 means no limit. If not specified,
+ a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to reject requests that
+ exceed the limit.</p>
</attribute>
<attribute name="maxPostSize" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/03: Update package renamed fork of Commons BCEL
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a6fed7ace3ac90919f598a6eb2bfa4d95e54f61f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 3 12:28:02 2023 +0000
Update package renamed fork of Commons BCEL
---
MERGE.txt | 2 +-
.../tomcat/util/bcel/classfile/ConstantPool.java | 18 +++++++++++-------
webapps/docs/changelog.xml | 4 ++++
3 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/MERGE.txt b/MERGE.txt
index 41646180c2..de8e38d901 100644
--- a/MERGE.txt
+++ b/MERGE.txt
@@ -37,7 +37,7 @@ Unused code is removed
Sub-tree:
src/main/java/org/apache/bcel
The SHA1 ID / tag for the most recent commit to be merged to Tomcat is:
-b015e90257850e810e57d1244664300f50de4a4c (2022-11-28)
+2ee2bff580c7138545377628074173412c27290c (2023-01-02)
Codec
-----
diff --git a/java/org/apache/tomcat/util/bcel/classfile/ConstantPool.java b/java/org/apache/tomcat/util/bcel/classfile/ConstantPool.java
index 468314f097..a9639e0be4 100644
--- a/java/org/apache/tomcat/util/bcel/classfile/ConstantPool.java
+++ b/java/org/apache/tomcat/util/bcel/classfile/ConstantPool.java
@@ -44,6 +44,7 @@ public class ConstantPool {
constantPool = new Constant[constantPoolCount];
/*
* constantPool[0] is unused by the compiler and may be used freely by the implementation.
+ * constantPool[0] is currently unused by the implementation.
*/
for (int i = 1; i < constantPoolCount; i++) {
constantPool[i] = Constant.readConstant(input);
@@ -105,22 +106,25 @@ public class ConstantPool {
* @throws ClassFormatException if index is invalid
*/
public <T extends Constant> T getConstant(final int index, final Class<T> castTo) throws ClassFormatException {
- if (index >= constantPool.length || index < 0) {
+ if (index >= constantPool.length || index < 1) {
throw new ClassFormatException("Invalid constant pool reference using index: " + index + ". Constant pool size is: " + constantPool.length);
}
if (constantPool[index] != null && !castTo.isAssignableFrom(constantPool[index].getClass())) {
throw new ClassFormatException("Invalid constant pool reference at index: " + index +
". Expected " + castTo + " but was " + constantPool[index].getClass());
}
- // Previous check ensures this won't throw a ClassCastException
- final T c = castTo.cast(constantPool[index]);
- // the 0th element is always null
- if (c == null && index != 0) {
+ if (index > 1) {
final Constant prev = constantPool[index - 1];
- if (prev == null || prev.getTag() != Const.CONSTANT_Double && prev.getTag() != Const.CONSTANT_Long) {
- throw new ClassFormatException("Constant pool at index " + index + " is null.");
+ if (prev != null && (prev.getTag() == Const.CONSTANT_Double || prev.getTag() == Const.CONSTANT_Long)) {
+ throw new ClassFormatException("Constant pool at index " + index + " is invalid. The index is unused due to the preceeding "
+ + Const.getConstantName(prev.getTag()) + ".");
}
}
+ // Previous check ensures this won't throw a ClassCastException
+ final T c = castTo.cast(constantPool[index]);
+ if (c == null) {
+ throw new ClassFormatException("Constant pool at index " + index + " is null.");
+ }
return c;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 43facab6e9..bed020552d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -163,6 +163,10 @@
Update the packaged version of the Apache Tomcat Migration Tool for
Jakarta EE to 1.0.6. (markt)
</update>
+ <update>
+ Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-02,
+ 6.7.1-SNAPSHOT). (markt)
+ </update>
<update>
Update the internal fork of Apache Commons FileUpload to 34eb241
(2023-01-03, 2.0-SNAPSHOT). (markt)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/03: Update package renamed fork of Commons Codec
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e529969d152c9ffa17226ee3cd1225b471cb0d59
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 3 12:41:45 2023 +0000
Update package renamed fork of Commons Codec
---
MERGE.txt | 4 ++--
java/org/apache/tomcat/util/codec/binary/BaseNCodec.java | 5 +++--
webapps/docs/changelog.xml | 6 +++++-
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/MERGE.txt b/MERGE.txt
index de8e38d901..5673ec8d95 100644
--- a/MERGE.txt
+++ b/MERGE.txt
@@ -37,7 +37,7 @@ Unused code is removed
Sub-tree:
src/main/java/org/apache/bcel
The SHA1 ID / tag for the most recent commit to be merged to Tomcat is:
-2ee2bff580c7138545377628074173412c27290c (2023-01-02)
+2ee2bff580c7138545377628074173412c27290c (2023-01-03)
Codec
-----
@@ -45,7 +45,7 @@ Unused code is removed
Sub-tree:
src/main/java/org/apache/commons/codec
The SHA1 ID / tag for the most recent commit to be merged to Tomcat is:
-ae32a3f2fa6b722b8ad67bd125a52edb78932314 (2022-11-29)
+f03cbd3ba741758ead9f59bc07e6688a739a4813 (2023-01-03)
Note: Only classes required for Base64 encoding/decoding. The rest are removed.
FileUpload
diff --git a/java/org/apache/tomcat/util/codec/binary/BaseNCodec.java b/java/org/apache/tomcat/util/codec/binary/BaseNCodec.java
index 09e647ff97..0bfcf7312a 100644
--- a/java/org/apache/tomcat/util/codec/binary/BaseNCodec.java
+++ b/java/org/apache/tomcat/util/codec/binary/BaseNCodec.java
@@ -16,6 +16,8 @@
*/
package org.apache.tomcat.util.codec.binary;
+import java.util.Arrays;
+
import org.apache.tomcat.util.buf.HexUtils;
import org.apache.tomcat.util.res.StringManager;
@@ -206,8 +208,7 @@ public abstract class BaseNCodec {
newCapacity = createPositiveCapacity(minCapacity);
}
- final byte[] b = new byte[newCapacity];
- System.arraycopy(context.buffer, 0, b, 0, context.buffer.length);
+ final byte[] b = Arrays.copyOf(context.buffer, newCapacity);
context.buffer = b;
return b;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bed020552d..b80ff1a41d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -164,9 +164,13 @@
Jakarta EE to 1.0.6. (markt)
</update>
<update>
- Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-02,
+ Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03,
6.7.1-SNAPSHOT). (markt)
</update>
+ <update>
+ Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03,
+ 1.16-SNAPSHOT). (markt)
+ </update>
<update>
Update the internal fork of Apache Commons FileUpload to 34eb241
(2023-01-03, 2.0-SNAPSHOT). (markt)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org