(tomcat) branch 9.0.x updated: Reject Range-Request if those ranges are not strictly in ascending order (#791)

markt Tue, 03 Dec 2024 08:07:23 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new ef730de75f Reject Range-Request if those ranges are not strictly in 
ascending order (#791)
ef730de75f is described below

commit ef730de75f180e23b83c59222c3a16ad9074c330
Author: Chenjp <ch...@msn.com>
AuthorDate: Tue Dec 3 23:44:32 2024 +0800

    Reject Range-Request if those ranges are not strictly in ascending order
    (#791)
    
    request  ranges are not strictly in ascending order, indicates either a
    broken client or a deliberate denial-of-service attack
---
 .../apache/catalina/servlets/DefaultServlet.java   | 28 ++++++----------------
 .../servlets/TestDefaultServletRangeRequests.java  |  3 +++
 webapps/docs/changelog.xml                         |  6 ++---
 3 files changed, 13 insertions(+), 24 deletions(-)

diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 7c4de528e2..5495e5d044 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1484,7 +1484,7 @@ public class DefaultServlet extends HttpServlet {
         // Convert to Range
         ArrayList<Range> result = new ArrayList<>();
 
-        List<long[]> rangeContext = new ArrayList<>();
+        long prevEnd = -1;
         for (Ranges.Entry entry : ranges.getEntries()) {
             Range currentRange = new Range();
             if (entry.getStart() == -1) {
@@ -1502,30 +1502,16 @@ public class DefaultServlet extends HttpServlet {
             }
             currentRange.length = fileLength;
 
-            if (!currentRange.validate()) {
+            // See https://www.rfc-editor.org/rfc/rfc9110.html#status.416
+            // No good reason for ranges to overlap or not listed in ascending 
order, so always reject
+            if (currentRange.validate() && (prevEnd < 0 || prevEnd < 
currentRange.start)) {
+                // Range is valid and first range entry or strictly greater 
than previous range entry.
+                prevEnd = currentRange.end;
+            } else {
                 response.addHeader("Content-Range", "bytes */" + fileLength);
                 
response.sendError(HttpServletResponse.SC_REQUESTED_RANGE_NOT_SATISFIABLE);
                 return null;
             }
-
-            // See https://www.rfc-editor.org/rfc/rfc9110.html#status.416
-            // No good reason for ranges to overlap so always reject
-            for (long[] r : rangeContext) {
-                long s2 = r[0];
-                long e2 = r[1];
-                // Given valid [s1,e1] and [s2,e2]
-                // If { s1>e2 || s2>e1 } then no overlap
-                // equivalent to
-                // If not { s1>e2 || s2>e1 } then overlap
-                // De Morgan's law
-                if (currentRange.start <= e2 && s2 <= currentRange.end) {
-                    // isOverlap
-                    response.addHeader("Content-Range", "bytes */" + 
fileLength);
-                    
response.sendError(HttpServletResponse.SC_REQUESTED_RANGE_NOT_SATISFIABLE);
-                    return null;
-                }
-            }
-            rangeContext.add(new long[] { currentRange.start, currentRange.end 
});
             result.add(currentRange);
         }
 
diff --git 
a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java 
b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
index ccd41fbc26..7a13839c97 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
@@ -66,6 +66,9 @@ public class TestDefaultServletRangeRequests extends 
TomcatBaseTest {
         // Invalid overlapping ranges
         parameterSets.add(new Object[] { "bytes=1-100, 30-50", null, 
Integer.valueOf(416), "", "*/" + len });
         parameterSets.add(new Object[] { "bytes=1-100, 90-150", null, 
Integer.valueOf(416), "", "*/" + len });
+        // Invalid ranges that not in ascending order
+        parameterSets.add(new Object[] { "bytes=0-5, 6-10, 80-90, 60-70", 
null, Integer.valueOf(416), "", "*/" + len });
+        parameterSets.add(new Object[] { "bytes=0-5, -10, 60-70", null, 
Integer.valueOf(416), "", "*/" + len });
         // Invalid no equals
         parameterSets.add(new Object[] { "bytes 1-10", null, 
Integer.valueOf(416), "", "*/" + len });
         parameterSets.add(new Object[] { "bytes1-10", null, 
Integer.valueOf(416), "", "*/" + len });
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 62f44a7317..f50469ef7e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -194,9 +194,9 @@
         provided by Thomas Krisch. (markt)
       </add>
       <fix>
-        The default servlet now rejects HTTP range requests when two or more of
-        the requested ranges overlap. Based on pull request <pr>782</pr>
-        provided by Chenjp. (markt)
+        The default servlet now rejects HTTP range requests when requested
+        ranges overlap or are not in ascending order. Based on pull requests
+        <pr>782</pr> and <pr>791</pr> provided by Chenjp. (markt)
       </fix>
       <fix>
         Enhance Content-Range verification for partial PUT requests handled by


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 9.0.x updated: Reject Range-Request if those ranges are not strictly in ascending order (#791)

Reply via email to