Author: markt
Date: Mon Aug 29 19:45:52 2011
New Revision: 1162960
URL: http://svn.apache.org/viewvc?rev=1162960&view=rev
Log:
Fix CVE-2011-3190
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
Prevent AJP request forgery via unread request body packet
Modified:
tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
Modified:
tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=1162960&r1=1162959&r2=1162960&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
(original)
+++
tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
Mon Aug 29 19:45:52 2011
@@ -404,11 +404,13 @@ public class AjpAprProcessor implements
}
continue;
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
- // Usually the servlet didn't read the previous request
body
- if(log.isDebugEnabled()) {
- log.debug("Unexpected message: "+type);
+ // Unexpected packet type. Unread body packets should have
+ // been swallowed in finish().
+ if (log.isDebugEnabled()) {
+ log.debug("Unexpected message: " + type);
}
- continue;
+ error = true;
+ break;
}
keptAlive = true;
@@ -1033,6 +1035,11 @@ public class AjpAprProcessor implements
finished = true;
+ // Swallow the unread body packet if present
+ if (first && request.getContentLengthLong() > 0) {
+ receive();
+ }
+
// Add the end message
if (outputBuffer.position() + endMessageArray.length >
outputBuffer.capacity()) {
flush();
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=1162960&r1=1162959&r2=1162960&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Mon Aug 29
19:45:52 2011
@@ -125,6 +125,10 @@
if it is configured for SSL and an invalid value is provided for
SSLProtocol. (markt)
</fix>
+ <fix>
+ <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
