This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 1edf8e7c54 Revert "Reject Range-Request if those ranges are not
strictly in ascending order (#791)"
1edf8e7c54 is described below
commit 1edf8e7c54571bb55df9aec0cefa6b549afc3f35
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Dec 4 07:47:13 2024 +0000
Revert "Reject Range-Request if those ranges are not strictly in ascending
order (#791)"
This reverts commit 51a498285da6fbbb11ca7aa3ce18e7946aea588f.
---
.../apache/catalina/servlets/DefaultServlet.java | 22 +++++++++++++++-------
.../servlets/TestDefaultServletRangeRequests.java | 3 ---
webapps/docs/changelog.xml | 6 +++---
3 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 0ac8150a77..95633e7bc4 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1250,7 +1250,7 @@ public class DefaultServlet extends HttpServlet {
}
private static boolean validate(Ranges ranges, long length) {
- long prevEnd = -1;
+ List<long[]> rangeContext = new ArrayList<>();
for (Ranges.Entry range : ranges.getEntries()) {
long start = getStart(range, length);
long end = getEnd(range, length);
@@ -1259,13 +1259,21 @@ public class DefaultServlet extends HttpServlet {
return false;
}
// See https://www.rfc-editor.org/rfc/rfc9110.html#status.416
- // No good reason for ranges to overlap or not listed in ascending
order, so always reject
- if (prevEnd < 0 || prevEnd < start) {
- // first range entry or strictly greater than previous range
entry.
- prevEnd = end;
- } else {
- return false;
+ // No good reason for ranges to overlap so always reject
+ for (long[] r : rangeContext) {
+ long s2 = r[0];
+ long e2 = r[1];
+ // Given valid [s1,e1] and [s2,e2]
+ // If { s1>e2 || s2>e1 } then no overlap
+ // equivalent to
+ // If not { s1>e2 || s2>e1 } then overlap
+ // De Morgan's law
+ if (start <= e2 && s2 <= end) {
+ // isOverlap
+ return false;
+ }
}
+ rangeContext.add(new long[] { start, end });
}
return true;
}
diff --git
a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
index 7a13839c97..ccd41fbc26 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
@@ -66,9 +66,6 @@ public class TestDefaultServletRangeRequests extends
TomcatBaseTest {
// Invalid overlapping ranges
parameterSets.add(new Object[] { "bytes=1-100, 30-50", null,
Integer.valueOf(416), "", "*/" + len });
parameterSets.add(new Object[] { "bytes=1-100, 90-150", null,
Integer.valueOf(416), "", "*/" + len });
- // Invalid ranges that not in ascending order
- parameterSets.add(new Object[] { "bytes=0-5, 6-10, 80-90, 60-70",
null, Integer.valueOf(416), "", "*/" + len });
- parameterSets.add(new Object[] { "bytes=0-5, -10, 60-70", null,
Integer.valueOf(416), "", "*/" + len });
// Invalid no equals
parameterSets.add(new Object[] { "bytes 1-10", null,
Integer.valueOf(416), "", "*/" + len });
parameterSets.add(new Object[] { "bytes1-10", null,
Integer.valueOf(416), "", "*/" + len });
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 18f9d7ac27..53f0f97853 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -198,9 +198,9 @@
provided by Thomas Krisch. (markt)
</add>
<fix>
- The default servlet now rejects HTTP range requests when requested
- ranges overlap or are not in ascending order. Based on pull requests
- <pr>782</pr> and <pr>791</pr> provided by Chenjp. (markt)
+ The default servlet now rejects HTTP range requests when two or more of
+ the requested ranges overlap. Based on pull request <pr>782</pr>
+ provided by Chenjp. (markt)
</fix>
<fix>
Enhance Content-Range verification for partial PUT requests handled by
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
