This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new c713a1a3c6 Address an edge case. Reject CRCRLF as a line terminator.
c713a1a3c6 is described below
commit c713a1a3c67b936e2f20c384cf18f513033fefa2
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Aug 2 16:30:51 2022 +0100
Address an edge case. Reject CRCRLF as a line terminator.
Review of CR handling for RFC 9112
---
java/org/apache/coyote/http11/Http11InputBuffer.java | 3 ++-
.../apache/coyote/http11/TestHttp11InputBufferCRLF.java | 16 +++++++++++++++-
webapps/docs/changelog.xml | 4 ++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java
b/java/org/apache/coyote/http11/Http11InputBuffer.java
index 6757e69aae..21491d438a 100644
--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -976,7 +976,8 @@ public class Http11InputBuffer implements InputBuffer,
ApplicationBufferHandler
prevChr = chr;
chr = byteBuffer.get();
- if (chr == Constants.CR) {
+ if (chr == Constants.CR && prevChr != Constants.CR) {
+ // CR is only permitted at the start of a CRLF
sequence.
// Possible start of CRLF - process the next byte.
} else if (chr == Constants.LF) {
// CRLF or LF is an acceptable line terminator
diff --git a/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
b/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
index 2753c21071..c6e3d8593b 100644
--- a/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
+++ b/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
@@ -81,13 +81,21 @@ public class TestHttp11InputBufferCRLF extends
TomcatBaseTest {
CRLF,
Boolean.FALSE, Boolean.FALSE, parameterSets);
- // Invalid HTTP/1.1 request
+ // Invalid (request target) HTTP/1.1 request
addRequestWithSplits("GET /te<st HTTP/1.1" + CRLF +
"Host: localhost:8080" + CRLF +
"Connection: close" + CRLF +
CRLF,
Boolean.FALSE, Boolean.FALSE, parameterSets);
+ // Invalid (use of CR) HTTP/1.1 request
+ addRequestWithSplits("GET /test HTTP/1.1" + CRLF +
+ "Host: localhost:8080" + CRLF +
+ "Connection: close" + CRLF +
+ "X-aaa: bbb" + CR + CRLF +
+ CRLF,
+ Boolean.FALSE, Boolean.FALSE, parameterSets);
+
// Standard HTTP/1.1 request with a query string
addRequestWithSplits("GET /test?a=b HTTP/1.1" + CRLF +
"Host: localhost:8080" + CRLF +
@@ -116,6 +124,12 @@ public class TestHttp11InputBufferCRLF extends
TomcatBaseTest {
LF,
Boolean.FALSE, parameterSets);
+ // Invalid HTTP/1.1 request using CR rather than CRLF
+ addRequestWithSplits("GET /test HTTP/1.1" + CR +
+ "Host: localhost:8080" + CR +
+ "Connection: close" + CR +
+ CR,
+ Boolean.FALSE, Boolean.FALSE, parameterSets);
return parameterSets;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 178226f135..3ecbf6173a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -127,6 +127,10 @@
Avoid potential NPE by skipping duplicate accept check when using a
Unix
Domain Socket. Based on <pr>532</pr> by Han Li. (markt)
</fix>
+ <fix>
+ Address an edge case in HTTP header parsing that allowed CRCRLF to be
+ used as a valid line terminator. (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
