Author: markt
Date: Mon Aug 29 19:45:42 2011
New Revision: 1162959
URL: http://svn.apache.org/viewvc?rev=1162959&view=rev
Log:
Fix CVE-2011-3190
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
Prevent AJP request forgery via unread request body packet
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=1162959&r1=1162958&r2=1162959&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Mon
Aug 29 19:45:42 2011
@@ -405,11 +405,13 @@ public class AjpAprProcessor implements
}
continue;
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
- // Usually the servlet didn't read the previous request
body
- if(log.isDebugEnabled()) {
- log.debug("Unexpected message: "+type);
+ // Unexpected packet type. Unread body packets should have
+ // been swallowed in finish().
+ if (log.isDebugEnabled()) {
+ log.debug("Unexpected message: " + type);
}
- continue;
+ error = true;
+ break;
}
keptAlive = true;
@@ -1056,6 +1058,11 @@ public class AjpAprProcessor implements
finished = true;
+ // Swallow the unread body packet if present
+ if (first && request.getContentLengthLong() > 0) {
+ receive();
+ }
+
// Add the end message
if (outputBuffer.position() + endMessageArray.length >
outputBuffer.capacity()) {
flush();
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=1162959&r1=1162958&r2=1162959&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Mon Aug
29 19:45:42 2011
@@ -423,11 +423,13 @@ public class AjpProcessor implements Act
}
continue;
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
- // Usually the servlet didn't read the previous request
body
- if(log.isDebugEnabled()) {
- log.debug("Unexpected message: "+type);
+ // Unexpected packet type. Unread body packets should have
+ // been swallowed in finish().
+ if (log.isDebugEnabled()) {
+ log.debug("Unexpected message: " + type);
}
- continue;
+ error = true;
+ break;
}
request.setStartTime(System.currentTimeMillis());
@@ -1061,6 +1063,11 @@ public class AjpProcessor implements Act
finished = true;
+ // Swallow the unread body packet if present
+ if (first && request.getContentLengthLong() > 0) {
+ receive();
+ }
+
// Add the end message
output.write(endMessageArray);
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1162959&r1=1162958&r2=1162959&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Aug 29 19:45:42 2011
@@ -52,6 +52,14 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.
+ (markt)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 6.0.33 (jfclere)" rtext="released 2011-08-18">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
