TestAuthorizationDigest.java

kkolinko Wed, 09 Jan 2013 03:41:41 -0800

Author: kkolinko
Date: Wed Jan  9 11:41:18 2013
New Revision: 1430799

URL: http://svn.apache.org/viewvc?rev=1430799&view=rev
Log:
Avoid ArrayIndexOutOfBoundsException in HttpParser on incorrect input.
Inspired by o.a.t.util.buf.HexUtils.getDec()


Modified:
    tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
    
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?rev=1430799&r1=1430798&r2=1430799&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java Wed 
Jan  9 11:41:18 2013
@@ -52,6 +52,7 @@ public class HttpParser {
 
     private static final Map<String,Integer> fieldTypes = new HashMap<>();
 
+    // Arrays used by isToken(), isHex() 
     private static final boolean isToken[] = new boolean[128];
     private static final boolean isHex[] = new boolean[128];
 
@@ -238,6 +239,24 @@ public class HttpParser {
         return result.toString();
     }
 
+    private static boolean isToken(int c) {
+        // Fast for correct values, slower for incorrect ones
+        try {
+            return isToken[c];
+        } catch (ArrayIndexOutOfBoundsException ex) {
+            return false;
+        }
+    }
+
+    private static boolean isHex(int c) {
+        // Fast for correct values, slower for incorrect ones
+        try {
+            return isHex[c];
+        } catch (ArrayIndexOutOfBoundsException ex) {
+            return false;
+        }
+    }
+
     private static SkipConstantResult skipConstant(StringReader input,
             String constant) throws IOException {
         int len = constant.length();
@@ -277,7 +296,7 @@ public class HttpParser {
             c = input.read();
         }
 
-        while (c != -1 && isToken[c]) {
+        while (c != -1 && isToken(c)) {
             result.append((char) c);
             c = input.read();
         }
@@ -381,7 +400,7 @@ public class HttpParser {
         }
         c = input.read();
 
-        while (c != -1 && isToken[c]) {
+        while (c != -1 && isToken(c)) {
             result.append((char) c);
             c = input.read();
         }
@@ -419,7 +438,7 @@ public class HttpParser {
             c = input.read();
         }
 
-        while (c != -1 && isHex[c]) {
+        while (c != -1 && isHex(c)) {
             result.append((char) c);
             c = input.read();
         }

Modified: 
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java?rev=1430799&r1=1430798&r2=1430799&view=diff
==============================================================================
--- 
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java
 (original)
+++ 
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java
 Wed Jan  9 11:41:18 2013
@@ -196,6 +196,16 @@ public class TestAuthorizationDigest {
     }
 
     @Test
+    public void testQuotedNonTokenQop2() throws Exception {
+        String header = "Digest qop=\"{auth\"";
+
+        StringReader input = new StringReader(header);
+
+        Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
+        Assert.assertNull(result);
+    }
+
+    @Test
     public void testUnclosedQuotedTokenQop() throws Exception {
         String header = "Digest qop=\"auth";
 
@@ -204,4 +214,34 @@ public class TestAuthorizationDigest {
         Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
         Assert.assertNull(result);
     }
+
+    @Test
+    public void testWrongCharacterInToken() throws Exception {
+        String header = "Digest \u044f";
+
+        StringReader input = new StringReader(header);
+
+        Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
+        Assert.assertNull(result);
+    }
+
+    @Test
+    public void testWrongCharacterInQuotedToken() throws Exception {
+        String header = "Digest qop=\"\u044f\"";
+
+        StringReader input = new StringReader(header);
+
+        Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
+        Assert.assertNull(result);
+    }
+
+    @Test
+    public void testWrongCharacterInHex() throws Exception {
+        String header = "Digest nc=\u044f";
+
+        StringReader input = new StringReader(header);
+
+        Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
+        Assert.assertNull(result);
+    }
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1430799 - in /tomcat/trunk: java/org/apache/tomcat/util/http/parser/HttpParser.java test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java

Reply via email to