Author: markt
Date: Mon Aug 29 19:45:13 2011
New Revision: 1162958
URL: http://svn.apache.org/viewvc?rev=1162958&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
Fix CVE-2011-3190
Prevent AJP request forgery via unread request body packet
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpNioProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java?rev=1162958&r1=1162957&r2=1162958&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
Mon Aug 29 19:45:13 2011
@@ -985,6 +985,11 @@ public abstract class AbstractAjpProcess
finished = true;
+ // Swallow the unread body packet if present
+ if (first && request.getContentLengthLong() > 0) {
+ receive();
+ }
+
// Add the end message
if (error) {
output(endAndCloseMessageArray, 0, endAndCloseMessageArray.length);
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=1162958&r1=1162957&r2=1162958&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Mon
Aug 29 19:45:13 2011
@@ -140,11 +140,13 @@ public class AjpAprProcessor extends Abs
}
continue;
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
- // Usually the servlet didn't read the previous request
body
- if(log.isDebugEnabled()) {
- log.debug("Unexpected message: "+type);
+ // Unexpected packet type. Unread body packets should have
+ // been swallowed in finish().
+ if (log.isDebugEnabled()) {
+ log.debug("Unexpected message: " + type);
}
- continue;
+ error = true;
+ break;
}
keptAlive = true;
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpNioProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpNioProcessor.java?rev=1162958&r1=1162957&r2=1162958&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpNioProcessor.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpNioProcessor.java Mon
Aug 29 19:45:13 2011
@@ -126,12 +126,14 @@ public class AjpNioProcessor extends Abs
recycle(false);
continue;
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
- // Usually the servlet didn't read the previous request
body
- if(log.isDebugEnabled()) {
- log.debug("Unexpected message: "+type);
+ // Unexpected packet type. Unread body packets should have
+ // been swallowed in finish().
+ if (log.isDebugEnabled()) {
+ log.debug("Unexpected message: " + type);
}
+ error = true;
recycle(true);
- continue;
+ break;
}
request.setStartTime(System.currentTimeMillis());
} catch (IOException e) {
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=1162958&r1=1162957&r2=1162958&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Mon Aug
29 19:45:13 2011
@@ -143,13 +143,14 @@ public class AjpProcessor extends Abstra
}
continue;
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
- // Usually the servlet didn't read the previous request
body
- if(log.isDebugEnabled()) {
- log.debug("Unexpected message: "+type);
+ // Unexpected packet type. Unread body packets should have
+ // been swallowed in finish().
+ if (log.isDebugEnabled()) {
+ log.debug("Unexpected message: " + type);
}
- continue;
+ error = true;
+ break;
}
-
request.setStartTime(System.currentTimeMillis());
} catch (IOException e) {
error = true;
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1162958&r1=1162957&r2=1162958&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Aug 29 19:45:13 2011
@@ -131,6 +131,10 @@
Detect incomplete AJP messages and reject the associated request if one
is found. (markt)
</add>
+ <fix>
+ <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
