You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2014/02/07 15:15:47 UTC
git commit: WICKET-5502 Patch FileUploadBase to fix CVE-2014-0050

Updated Branches:
  refs/heads/wicket-6.x c7ed5a0d5 -> b7fe180d8


WICKET-5502 Patch FileUploadBase to fix CVE-2014-0050


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/b7fe180d
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/b7fe180d
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/b7fe180d

Branch: refs/heads/wicket-6.x
Commit: b7fe180d850da71b0ac639ff741b0c590b4cd6eb
Parents: c7ed5a0
Author: Martin Tzvetanov Grigorov <mg...@apache.org>
Authored: Fri Feb 7 15:15:21 2014 +0100
Committer: Martin Tzvetanov Grigorov <mg...@apache.org>
Committed: Fri Feb 7 15:15:21 2014 +0100

----------------------------------------------------------------------
 .../wicket/util/upload/FileUploadBase.java      | 25 +++++++++++++++++++-
 .../util/upload/MultipartFormInputStream.java   |  9 ++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/b7fe180d/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
----------------------------------------------------------------------
diff --git a/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java b/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
index 808fb42..1bd5a86 100644
--- a/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
+++ b/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
@@ -866,7 +866,16 @@ public abstract class FileUploadBase
 
 			notifier = new MultipartFormInputStream.ProgressNotifier(listener,
 				ctx.getContentLength());
-			multi = new MultipartFormInputStream(input, boundary, notifier);
+			try
+			{
+				multi = new MultipartFormInputStream(input, boundary, notifier);
+			}
+			catch (IllegalArgumentException iae)
+			{
+				throw new InvalidContentTypeException(String.format(
+					"The boundary specified in the %s header is too long",
+					CONTENT_TYPE), iae);
+			}
 			multi.setHeaderEncoding(charEncoding);
 
 			skipPreamble = true;
@@ -1085,6 +1094,20 @@ public abstract class FileUploadBase
 		{
 			super(message);
 		}
+
+		/**
+		 * Constructs an <code>InvalidContentTypeException</code> with the specified detail message
+		 * and cause.
+		 *
+		 * @param message
+		 *            The detail message.
+		 * @param cause
+		 *            The real cause
+		 */
+		public InvalidContentTypeException(final String message, Throwable cause)
+		{
+			super(message, cause);
+		}
 	}
 
 	/**

http://git-wip-us.apache.org/repos/asf/wicket/blob/b7fe180d/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
----------------------------------------------------------------------
diff --git a/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java b/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
index 337f4eb..1602715 100644
--- a/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
+++ b/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
@@ -321,9 +321,15 @@ public class MultipartFormInputStream
 
 		// We prepend CR/LF to the boundary to chop trailng CR/LF from
 		// body-data tokens.
-		this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
 		boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+		if (bufSize < this.boundaryLength + 1)
+		{
+			throw new IllegalArgumentException(
+				"The buffer size specified for the MultipartFormInputStream is too small");
+		}
+		this.boundary = new byte[this.boundaryLength];
 		keepRegion = this.boundary.length;
+
 		System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0, BOUNDARY_PREFIX.length);
 		System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length, boundary.length);
 
@@ -346,6 +352,7 @@ public class MultipartFormInputStream
 	 * 
 	 * @see #MultipartFormInputStream(InputStream, byte[], int,
 	 *      MultipartFormInputStream.ProgressNotifier)
+	 * @throws IllegalArgumentException If the buffer size is too small
 	 */
 	MultipartFormInputStream(final InputStream input, final byte[] boundary,
 		final ProgressNotifier pNotifier)