(tomcat) branch 10.1.x updated: The default servlet now rejects HTTP overlapping range requests

markt Wed, 27 Nov 2024 07:46:16 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/10.1.x by this push:
     new ed8b88e988 The default servlet now rejects HTTP overlapping range 
requests
ed8b88e988 is described below

commit ed8b88e988c52d3b13983325292a56a4e11d9114
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Nov 27 15:40:35 2024 +0000

    The default servlet now rejects HTTP overlapping range requests
    
    Based on #782 provided by Chenjp
---
 .../apache/catalina/servlets/DefaultServlet.java   | 41 ++++++++++++++++------
 .../servlets/TestDefaultServletRangeRequests.java  |  3 ++
 webapps/docs/changelog.xml                         |  5 +++
 3 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index d1cc9b1c43..1187514d1c 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1255,10 +1255,33 @@ public class DefaultServlet extends HttpServlet {
                 (range.getEnd() >= 0) && (range.getStart() <= range.getEnd()) 
&& (range.getLength() > 0);
     }
 
-    private static boolean validate(Ranges.Entry range, long length) {
-        long start = getStart(range, length);
-        long end = getEnd(range, length);
-        return (start >= 0) && (end >= 0) && (start <= end);
+    private static boolean validate(Ranges ranges, long length) {
+        List<long[]> rangeContext = new ArrayList<>();
+        for (Ranges.Entry range : ranges.getEntries()) {
+            long start = getStart(range, length);
+            long end = getEnd(range, length);
+            if (start < 0 || start > end) {
+                // Invalid range
+                return false;
+            }
+            // See https://www.rfc-editor.org/rfc/rfc9110.html#status.416
+            // No good reason for ranges to overlap so always reject
+            for (long[] r : rangeContext) {
+                long s2 = r[0];
+                long e2 = r[1];
+                // Given valid [s1,e1] and [s2,e2]
+                // If { s1>e2 || s2>e1 } then no overlap
+                // equivalent to
+                // If not { s1>e2 || s2>e1 } then overlap
+                // De Morgan's law
+                if (start <= e2 && s2 <= end) {
+                    // isOverlap
+                    return false;
+                }
+            }
+            rangeContext.add(new long[] { start, end });
+        }
+        return true;
     }
 
     private static long getStart(Ranges.Entry range, long length) {
@@ -1508,12 +1531,10 @@ public class DefaultServlet extends HttpServlet {
             return FULL;
         }
 
-        for (Ranges.Entry range : ranges.getEntries()) {
-            if (!validate(range, fileLength)) {
-                response.addHeader("Content-Range", "bytes */" + fileLength);
-                
response.sendError(HttpServletResponse.SC_REQUESTED_RANGE_NOT_SATISFIABLE);
-                return null;
-            }
+        if (!validate(ranges, fileLength)) {
+            response.addHeader("Content-Range", "bytes */" + fileLength);
+            
response.sendError(HttpServletResponse.SC_REQUESTED_RANGE_NOT_SATISFIABLE);
+            return null;
         }
 
         return ranges;
diff --git 
a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java 
b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
index 1ebf851b01..ccd41fbc26 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
@@ -63,6 +63,9 @@ public class TestDefaultServletRangeRequests extends 
TomcatBaseTest {
         parameterSets.add(new Object[] { "bytes=b-10", null, 
Integer.valueOf(416), "", "*/" + len });
         // Invalid ranges (out of range)
         parameterSets.add(new Object[] { "bytes=1000-2000", null, 
Integer.valueOf(416), "", "*/" + len });
+        // Invalid overlapping ranges
+        parameterSets.add(new Object[] { "bytes=1-100, 30-50", null, 
Integer.valueOf(416), "", "*/" + len });
+        parameterSets.add(new Object[] { "bytes=1-100, 90-150", null, 
Integer.valueOf(416), "", "*/" + len });
         // Invalid no equals
         parameterSets.add(new Object[] { "bytes 1-10", null, 
Integer.valueOf(416), "", "*/" + len });
         parameterSets.add(new Object[] { "bytes1-10", null, 
Integer.valueOf(416), "", "*/" + len });
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8ca75e430d..a3ad282a16 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -197,6 +197,11 @@
         <pr>787</pr>: Add regression tests for <bug>69478</bug>. Pull request
         provided by Thomas Krisch. (markt)
       </add>
+      <fix>
+        The default servlet now rejects HTTP range requests when two or more of
+        the requested ranges overlap. Based on pull request <pr>782</pr>
+        provided by Chenjp. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch 10.1.x updated: The default servlet now rejects HTTP overlapping range requests

Reply via email to