svn commit: r1146703 - in /tomcat/tc6.0.x/trunk: ./ java/org/apache/catalina/connector/ java/org/apache/catalina/servlets/ java/org/apache/coyote/http11/ java/org/apache/tomcat/util/net/ webapps/docs/

Thu, 14 Jul 2011 06:39:09 -0700 

Author: markt
Date: Thu Jul 14 13:38:40 2011
New Revision: 1146703

URL: http://svn.apache.org/viewvc?rev=1146703&view=rev
Log:
Fix various sendfile issues.
This fixes CVE-2011-2526

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
    tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
    tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/LocalStrings.properties
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Jul 14 13:38:40 2011
@@ -232,10 +232,3 @@ PATCHES PROPOSED TO BACKPORT:
   https://issues.apache.org/bugzilla/attachment.cgi?id=27280 (JMX)
   +1: kkolinko, markt, kfujino
   -1:
-
-* Fix various sendfile issues. CVE-2011-2526
-  This is a port of r1145380, r1145383, r1145489, r1145571, r1145694 and
-  r1146005
-  http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc6.patch
-  +1: markt, jfclere, kfujino
-  -1:

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties 
(original)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/LocalStrings.properties 
Thu Jul 14 13:38:40 2011
@@ -62,6 +62,7 @@ coyoteRequest.parseParameters=Exception 
 coyoteRequest.postTooLarge=Parameters were not parsed because the size of the 
posted data was too big. Use the maxPostSize attribute of the connector to 
resolve this if the application should accept large POSTs.
 coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size 
of the posted data was too big. Because this request was a chunked request, it 
could not be processed further. Use the maxPostSize attribute of the connector 
to resolve this if the application should accept large POSTs.
 coyoteRequest.sessionEndAccessFail=Exception triggered ending access to 
session while recycling request
+coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file 
[{0}] specified for use with sendfile
 
 requestFacade.nullRequest=The request object has been recycled and is no 
longer associated with this facade
 

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Thu 
Jul 14 13:38:40 2011
@@ -19,6 +19,7 @@
 package org.apache.catalina.connector;
 
 
+import java.io.File;
 import java.io.InputStream;
 import java.io.IOException;
 import java.io.BufferedReader;
@@ -1455,6 +1456,26 @@ public class Request
             return;
         }
 
+        // Do the security check before any updates are made
+        if (Globals.IS_SECURITY_ENABLED &&
+                name.equals("org.apache.tomcat.sendfile.filename")) {
+            // Use the canonical file name to avoid any possible symlink and
+            // relative path issues
+            String canonicalPath;
+            try {
+                canonicalPath = new File(value.toString()).getCanonicalPath();
+            } catch (IOException e) {
+                throw new SecurityException(sm.getString(
+                        "coyoteRequest.sendfileNotCanonical", value), e);
+            }
+            // Sendfile is performed in Tomcat's security context so need to
+            // check if the web app is permitted to access the file while still
+            // in the web app's security context
+            System.getSecurityManager().checkRead(canonicalPath);
+            // Update the value so the canonical path is used
+            value = canonicalPath;
+        }
+
         oldValue = attributes.put(name, value);
         if (oldValue != null) {
             replaced = true;

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java 
Thu Jul 14 13:38:40 2011
@@ -1619,7 +1619,6 @@ public class DefaultServlet
                 request.setAttribute("org.apache.tomcat.sendfile.start", new 
Long(range.start));
                 request.setAttribute("org.apache.tomcat.sendfile.end", new 
Long(range.end + 1));
             }
-            request.setAttribute("org.apache.tomcat.sendfile.token", this);
             return true;
         } else {
             return false;

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java 
Thu Jul 14 13:38:40 2011
@@ -923,7 +923,18 @@ public class Http11AprProcessor implemen
                 sendfileData.socket = socket;
                 sendfileData.keepAlive = keepAlive;
                 if (!endpoint.getSendfile().add(sendfileData)) {
-                    openSocket = true;
+                    if (sendfileData.socket == 0) {
+                        // Didn't send all the data but the socket is no longer
+                        // set. Something went wrong. Close the connection.
+                        // Too late to set status code.
+                        if (log.isDebugEnabled()) {
+                            log.debug(sm.getString(
+                                    "http11processor.sendfile.error"));
+                        }
+                        error = true;
+                    } else {
+                        openSocket = true;
+                    }
                     break;
                 }
             }

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/LocalStrings.properties?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/LocalStrings.properties 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/LocalStrings.properties 
Thu Jul 14 13:38:40 2011
@@ -56,6 +56,7 @@ http11processor.response.finish=Error fi
 http11processor.socket.info=Exception getting socket information
 http11processor.socket.ssl=Exception getting SSL attributes
 http11processor.socket.timeout=Error setting socket timeout
+http11processor.sendfile.error=Error sending data using sendfile. May be 
caused by invalid request attributes for start/end points
 
 #
 # InternalInputBuffer

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu 
Jul 14 13:38:40 2011
@@ -1822,7 +1822,9 @@ public class AprEndpoint {
                                                data.pos, data.end - data.pos, 
0);
                     if (nw < 0) {
                         if (!(-nw == Status.EAGAIN)) {
-                            destroySocket(data.socket);
+                            Pool.destroy(data.fdpool);
+                            // No need to close socket, this will be done by
+                            // calling code since data.socket == 0
                             data.socket = 0;
                             return false;
                         } else {

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Thu 
Jul 14 13:38:40 2011
@@ -1734,6 +1734,13 @@ public class NioEndpoint {
                         sd.pos += written;
                         sd.length -= written;
                         attachment.access();
+                    } else {
+                        // Unusual not to be able to transfer any bytes
+                        // Check the length was set correctly
+                        if (sd.fchannel.size() <= sd.pos) {
+                            throw new IOException("Sendfile configured to " +
+                                    "send more data than was available");
+                        }
                     }
                 }
                 if ( sd.length <= 0 && sc.getOutboundRemaining()<=0) {
@@ -1758,6 +1765,7 @@ public class NioEndpoint {
                             log.debug("Send file connection is being closed");
                         }
                         cancelledKey(sk,SocketStatus.STOP,false);
+                        return false;
                     }
                 } else if ( attachment.interestOps() == 0 && reg ) {
                     if (log.isDebugEnabled()) {

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1146703&r1=1146702&r2=1146703&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Jul 14 13:38:40 2011
@@ -170,6 +170,15 @@
         if it is configured for SSL and an invalid value is provided for
         SSLProtocol. (markt)
       </fix>
+      <fix>
+        Fix CVE 2011-2526. Protect against infinite loops (HTTP NIO) and 
crashes
+        (HTTP APR) if sendfile is configured to send more data than is 
available
+        in the file. (markt)
+      </fix>
+      <fix>
+        Prevent NPEs when a socket is closed in non-error conditions after
+        sendfile processing when using the HTTP NIO connector. (markt) 
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to