(tomcat) branch 9.0.x updated: Allow two overlapping ranges but no more.

markt Wed, 04 Dec 2024 01:38:46 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new 7bd9464a1a Allow two overlapping ranges but no more.
7bd9464a1a is described below

commit 7bd9464a1a989ed39dc07bd1814c10edfcdb4aae
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Dec 4 09:32:38 2024 +0000

    Allow two overlapping ranges but no more.
---
 .../apache/catalina/servlets/DefaultServlet.java   | 23 +++++++++++++++++-----
 .../servlets/TestDefaultServletRangeRequests.java  |  9 ++++++---
 2 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java 
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 7c4de528e2..d7363491f6 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1485,6 +1485,7 @@ public class DefaultServlet extends HttpServlet {
         ArrayList<Range> result = new ArrayList<>();
 
         List<long[]> rangeContext = new ArrayList<>();
+        int overlapCount = 0;
         for (Ranges.Entry entry : ranges.getEntries()) {
             Range currentRange = new Range();
             if (entry.getStart() == -1) {
@@ -1509,7 +1510,16 @@ public class DefaultServlet extends HttpServlet {
             }
 
             // See https://www.rfc-editor.org/rfc/rfc9110.html#status.416
-            // No good reason for ranges to overlap so always reject
+            /*
+             * See https://www.rfc-editor.org/rfc/rfc9110.html#name-range and
+             * https://www.rfc-editor.org/rfc/rfc9110.html#status.416
+             *
+             * The server MAY ignore or reject Range headers with:
+             *
+             * - "Many" (undefined) small ranges not in ascending order - not 
currently enforced.
+             *
+             * - More than two overlapping ranges (enforced)
+             */
             for (long[] r : rangeContext) {
                 long s2 = r[0];
                 long e2 = r[1];
@@ -1519,10 +1529,13 @@ public class DefaultServlet extends HttpServlet {
                 // If not { s1>e2 || s2>e1 } then overlap
                 // De Morgan's law
                 if (currentRange.start <= e2 && s2 <= currentRange.end) {
-                    // isOverlap
-                    response.addHeader("Content-Range", "bytes */" + 
fileLength);
-                    
response.sendError(HttpServletResponse.SC_REQUESTED_RANGE_NOT_SATISFIABLE);
-                    return null;
+                    overlapCount++;
+                    // Off by one is deliberate. There is 1 more overlapping 
range than there are overlaps.
+                    if (overlapCount > 1) {
+                        response.addHeader("Content-Range", "bytes */" + 
fileLength);
+                        
response.sendError(HttpServletResponse.SC_REQUESTED_RANGE_NOT_SATISFIABLE);
+                        return null;
+                    }
                 }
             }
             rangeContext.add(new long[] { currentRange.start, currentRange.end 
});
diff --git 
a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java 
b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
index ccd41fbc26..170787c06c 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
@@ -63,9 +63,12 @@ public class TestDefaultServletRangeRequests extends 
TomcatBaseTest {
         parameterSets.add(new Object[] { "bytes=b-10", null, 
Integer.valueOf(416), "", "*/" + len });
         // Invalid ranges (out of range)
         parameterSets.add(new Object[] { "bytes=1000-2000", null, 
Integer.valueOf(416), "", "*/" + len });
-        // Invalid overlapping ranges
-        parameterSets.add(new Object[] { "bytes=1-100, 30-50", null, 
Integer.valueOf(416), "", "*/" + len });
-        parameterSets.add(new Object[] { "bytes=1-100, 90-150", null, 
Integer.valueOf(416), "", "*/" + len });
+        // Valid overlapping ranges (up to 2)
+        parameterSets.add(new Object[] { "bytes=1-100, 30-50", null, 
Integer.valueOf(206), "", "30-50/" + len });
+        parameterSets.add(new Object[] { "bytes=1-100, 90-150", null, 
Integer.valueOf(206), "", "1-100/" + len });
+        // Invalid overlapping ranges (3 or more)
+        parameterSets.add(new Object[] { "bytes=1-100, 30-50, 10-20", null, 
Integer.valueOf(416), "", "*/" + len });
+        parameterSets.add(new Object[] { "bytes=1-100, 90-150, 10-20", null, 
Integer.valueOf(416), "", "*/" + len });
         // Invalid no equals
         parameterSets.add(new Object[] { "bytes 1-10", null, 
Integer.valueOf(416), "", "*/" + len });
         parameterSets.add(new Object[] { "bytes1-10", null, 
Integer.valueOf(416), "", "*/" + len });


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 9.0.x updated: Allow two overlapping ranges but no more.

Reply via email to