You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2014/02/07 15:15:47 UTC
git commit: WICKET-5502 Patch FileUploadBase to fix CVE-2014-0050
Updated Branches:
refs/heads/wicket-6.x c7ed5a0d5 -> b7fe180d8
WICKET-5502 Patch FileUploadBase to fix CVE-2014-0050
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/b7fe180d
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/b7fe180d
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/b7fe180d
Branch: refs/heads/wicket-6.x
Commit: b7fe180d850da71b0ac639ff741b0c590b4cd6eb
Parents: c7ed5a0
Author: Martin Tzvetanov Grigorov <mg...@apache.org>
Authored: Fri Feb 7 15:15:21 2014 +0100
Committer: Martin Tzvetanov Grigorov <mg...@apache.org>
Committed: Fri Feb 7 15:15:21 2014 +0100
----------------------------------------------------------------------
.../wicket/util/upload/FileUploadBase.java | 25 +++++++++++++++++++-
.../util/upload/MultipartFormInputStream.java | 9 ++++++-
2 files changed, 32 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/b7fe180d/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
----------------------------------------------------------------------
diff --git a/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java b/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
index 808fb42..1bd5a86 100644
--- a/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
+++ b/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
@@ -866,7 +866,16 @@ public abstract class FileUploadBase
notifier = new MultipartFormInputStream.ProgressNotifier(listener,
ctx.getContentLength());
- multi = new MultipartFormInputStream(input, boundary, notifier);
+ try
+ {
+ multi = new MultipartFormInputStream(input, boundary, notifier);
+ }
+ catch (IllegalArgumentException iae)
+ {
+ throw new InvalidContentTypeException(String.format(
+ "The boundary specified in the %s header is too long",
+ CONTENT_TYPE), iae);
+ }
multi.setHeaderEncoding(charEncoding);
skipPreamble = true;
@@ -1085,6 +1094,20 @@ public abstract class FileUploadBase
{
super(message);
}
+
+ /**
+ * Constructs an <code>InvalidContentTypeException</code> with the specified detail message
+ * and cause.
+ *
+ * @param message
+ * The detail message.
+ * @param cause
+ * The real cause
+ */
+ public InvalidContentTypeException(final String message, Throwable cause)
+ {
+ super(message, cause);
+ }
}
/**
http://git-wip-us.apache.org/repos/asf/wicket/blob/b7fe180d/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
----------------------------------------------------------------------
diff --git a/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java b/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
index 337f4eb..1602715 100644
--- a/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
+++ b/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
@@ -321,9 +321,15 @@ public class MultipartFormInputStream
// We prepend CR/LF to the boundary to chop trailng CR/LF from
// body-data tokens.
- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+ if (bufSize < this.boundaryLength + 1)
+ {
+ throw new IllegalArgumentException(
+ "The buffer size specified for the MultipartFormInputStream is too small");
+ }
+ this.boundary = new byte[this.boundaryLength];
keepRegion = this.boundary.length;
+
System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0, BOUNDARY_PREFIX.length);
System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length, boundary.length);
@@ -346,6 +352,7 @@ public class MultipartFormInputStream
*
* @see #MultipartFormInputStream(InputStream, byte[], int,
* MultipartFormInputStream.ProgressNotifier)
+ * @throws IllegalArgumentException If the buffer size is too small
*/
MultipartFormInputStream(final InputStream input, final byte[] boundary,
final ProgressNotifier pNotifier)