[tomcat] branch 10.1.x updated: Fix BZ 66488 - Fix header / request line mix-up within request

Mon, 27 Feb 2023 04:12:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new f29afff8ea Fix BZ 66488 - Fix header / request line mix-up within 
request
f29afff8ea is described below

commit f29afff8eadd5bf753b111e8fe1a69e5018dceee
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Feb 27 12:09:58 2023 +0000

    Fix BZ 66488 - Fix header / request line mix-up within request
---
 java/org/apache/tomcat/util/buf/MessageBytes.java  |   6 +-
 .../apache/tomcat/util/buf/TestMessageBytes.java   |   2 +-
 .../util/buf/TestMessageBytesIntegration.java      | 106 +++++++++++++++++++++
 webapps/docs/changelog.xml                         |   6 ++
 4 files changed, 115 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/buf/MessageBytes.java 
b/java/org/apache/tomcat/util/buf/MessageBytes.java
index 3442637546..f1b37ae9ae 100644
--- a/java/org/apache/tomcat/util/buf/MessageBytes.java
+++ b/java/org/apache/tomcat/util/buf/MessageBytes.java
@@ -283,9 +283,7 @@ public final class MessageBytes implements Cloneable, 
Serializable {
      *                                  above code point 0xFF.
      */
     private void toBytesSimple(char[] chars, int start, int len) {
-        byteC.recycle();
-        byteC.allocate(len, byteC.getLimit());
-        byte[] bytes = byteC.getBuffer();
+        byte[] bytes = new byte[len];
 
         for (int i = 0; i < len; i++) {
             if (chars[i + start] > 255) {
@@ -296,7 +294,7 @@ public final class MessageBytes implements Cloneable, 
Serializable {
             }
         }
 
-        byteC.setEnd(len);
+        byteC.setBytes(bytes, 0, len);
         type = T_BYTES;
     }
 
diff --git a/test/org/apache/tomcat/util/buf/TestMessageBytes.java 
b/test/org/apache/tomcat/util/buf/TestMessageBytes.java
index 4abc1b6374..df8718e007 100644
--- a/test/org/apache/tomcat/util/buf/TestMessageBytes.java
+++ b/test/org/apache/tomcat/util/buf/TestMessageBytes.java
@@ -123,7 +123,7 @@ public class TestMessageBytes {
             optimized = doTestOptimisedConversionPerformance();
             nonOptimized = doTestConversionPerformance();
 
-            System.out.println(optimized + " " + nonOptimized);
+            System.out.println("    Optimized: " + optimized + 
"\nNon-optimized: " + nonOptimized);
             if (optimized * 2 < nonOptimized) {
                 break;
             }
diff --git a/test/org/apache/tomcat/util/buf/TestMessageBytesIntegration.java 
b/test/org/apache/tomcat/util/buf/TestMessageBytesIntegration.java
new file mode 100644
index 0000000000..5087ccb1ee
--- /dev/null
+++ b/test/org/apache/tomcat/util/buf/TestMessageBytesIntegration.java
@@ -0,0 +1,106 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.buf;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+
+import jakarta.servlet.ServletContextEvent;
+import jakarta.servlet.ServletContextListener;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.SessionTrackingMode;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+
+public class TestMessageBytesIntegration extends TomcatBaseTest {
+
+    /*
+     * https://bz.apache.org/bugzilla/show_bug.cgi?id=66488
+     */
+    @Test
+    public void testBytesStringBytesMixup() throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+
+        // No file system docBase required
+        Context ctx = tomcat.addContext("", null);
+
+        
ctx.addApplicationListener("org.apache.tomcat.util.buf.TestMessageBytesIntegration$MixUpConfig");
+
+        // Add servlet
+        Tomcat.addServlet(ctx, "MixUpServlet", new MixUpServlet());
+        ctx.addServletMappingDecoded("/mixup", "MixUpServlet");
+
+        tomcat.start();
+
+        ByteChunk body = new ByteChunk();
+        Map<String,List<String>> requestHeaders = new HashMap<>();
+        requestHeaders.put("Cookie", Arrays.asList("a=b; c=d"));
+        getUrl("http://localhost:"; + getPort() + "/mixup", body, 
requestHeaders, null);
+
+        Assert.assertEquals("/mixup", body.toString());
+    }
+
+
+    private static class MixUpServlet extends HttpServlet {
+
+        private static final long serialVersionUID = 1L;
+
+        @Override
+        protected void doGet(HttpServletRequest req, HttpServletResponse resp) 
throws ServletException, IOException {
+            // Convert all headers to String
+            Enumeration<String> names = req.getHeaderNames();
+            while (names.hasMoreElements()) {
+                String name = names.nextElement();
+                Enumeration<String> values = req.getHeaders(name);
+                while (values.hasMoreElements()) {
+                    String value = values.nextElement();
+                    System.out.println("[" + name + "] - [" + value + "]");
+                }
+            }
+
+            // Parsing cookies turns cookie header back to bytes (and triggers 
the bug)
+            req.getCookies();
+
+            resp.setContentType("text/plain");
+            resp.setCharacterEncoding("UTF-8");
+
+            resp.getWriter().print(req.getRequestURI());
+        }
+    }
+
+
+    public static class MixUpConfig implements ServletContextListener {
+
+        @Override
+        public void contextInitialized(ServletContextEvent sce) {
+            sce.getServletContext().setSessionTrackingModes(new 
HashSet<>(Arrays.asList(SessionTrackingMode.URL)));
+        }
+    }
+}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 729ed8f22a..a434ef8b3f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,12 @@
         Provide a more appropriate response (501 rather than 400) when 
rejecting
         an HTTP request using the CONNECT method. (markt)
       </update>
+      <fix>
+        <bug>66488</bug>: Correct a regression introduced in the fix for bug
+        <bug>66196</bug> that meant that the HTTP headers and/or request line
+        could get corrupted (one part overwriting another part) within a single
+        request. (markt)
+      </fix>
       <fix>
         <bug>66491</bug>: Correct the BND configuration used by the build 
script
         so that the provider configuration file required by Tomcat's custom URL


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to