Author: kkolinko
Date: Wed Jan 9 12:08:01 2013
New Revision: 1430812
URL: http://svn.apache.org/viewvc?rev=1430812&view=rev
Log:
Merged revisions r1430799 r1430809 from tomcat/trunk:
Avoid ArrayIndexOutOfBoundsException in HttpParser on incorrect input.
Inspired by o.a.t.util.buf.HexUtils.getDec()
Also moved changelog entry for BZ 54390 into a different section.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1430799,1430809
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?rev=1430812&r1=1430811&r2=1430812&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
Wed Jan 9 12:08:01 2013
@@ -53,6 +53,7 @@ public class HttpParser {
private static final Map<String,Integer> fieldTypes =
new HashMap<String,Integer>();
+ // Arrays used by isToken(), isHex()
private static final boolean isToken[] = new boolean[128];
private static final boolean isHex[] = new boolean[128];
@@ -240,6 +241,24 @@ public class HttpParser {
return result.toString();
}
+ private static boolean isToken(int c) {
+ // Fast for correct values, slower for incorrect ones
+ try {
+ return isToken[c];
+ } catch (ArrayIndexOutOfBoundsException ex) {
+ return false;
+ }
+ }
+
+ private static boolean isHex(int c) {
+ // Fast for correct values, slower for incorrect ones
+ try {
+ return isHex[c];
+ } catch (ArrayIndexOutOfBoundsException ex) {
+ return false;
+ }
+ }
+
private static SkipConstantResult skipConstant(StringReader input,
String constant) throws IOException {
int len = constant.length();
@@ -279,7 +298,7 @@ public class HttpParser {
c = input.read();
}
- while (c != -1 && isToken[c]) {
+ while (c != -1 && isToken(c)) {
result.append((char) c);
c = input.read();
}
@@ -383,7 +402,7 @@ public class HttpParser {
}
c = input.read();
- while (c != -1 && isToken[c]) {
+ while (c != -1 && isToken(c)) {
result.append((char) c);
c = input.read();
}
@@ -421,7 +440,7 @@ public class HttpParser {
c = input.read();
}
- while (c != -1 && isHex[c]) {
+ while (c != -1 && isHex(c)) {
result.append((char) c);
c = input.read();
}
Modified:
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java?rev=1430812&r1=1430811&r2=1430812&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java
(original)
+++
tomcat/tc7.0.x/trunk/test/org/apache/tomcat/util/http/parser/TestAuthorizationDigest.java
Wed Jan 9 12:08:01 2013
@@ -196,6 +196,16 @@ public class TestAuthorizationDigest {
}
@Test
+ public void testQuotedNonTokenQop2() throws Exception {
+ String header = "Digest qop=\"{auth\"";
+
+ StringReader input = new StringReader(header);
+
+ Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
+ Assert.assertNull(result);
+ }
+
+ @Test
public void testUnclosedQuotedTokenQop() throws Exception {
String header = "Digest qop=\"auth";
@@ -204,4 +214,34 @@ public class TestAuthorizationDigest {
Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
Assert.assertNull(result);
}
+
+ @Test
+ public void testWrongCharacterInToken() throws Exception {
+ String header = "Digest \u044f";
+
+ StringReader input = new StringReader(header);
+
+ Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
+ Assert.assertNull(result);
+ }
+
+ @Test
+ public void testWrongCharacterInQuotedToken() throws Exception {
+ String header = "Digest qop=\"\u044f\"";
+
+ StringReader input = new StringReader(header);
+
+ Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
+ Assert.assertNull(result);
+ }
+
+ @Test
+ public void testWrongCharacterInHex() throws Exception {
+ String header = "Digest nc=\u044f";
+
+ StringReader input = new StringReader(header);
+
+ Map<String,String> result = HttpParser.parseAuthorizationDigest(input);
+ Assert.assertNull(result);
+ }
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1430812&r1=1430811&r2=1430812&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Wed Jan 9 12:08:01 2013
@@ -130,8 +130,8 @@
SSI directive is present. (markt)
</fix>
<fix>
- <bug>54390</bug> Use 'java_home' on Mac OS X to auto-detect JAVA_HOME.
- (schultz)
+ Fix <code>ArrayIndexOutOfBoundsException</code> in
+ <code>HttpParser</code> when parsing incorrect HTTP headers. (kkolinko)
</fix>
<fix>
<bug>54391</bug>: Provide a value for the
@@ -179,6 +179,14 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Other">
+ <changelog>
+ <fix>
+ <bug>54390</bug>: Use 'java_home' on Mac OS X to auto-detect JAVA_HOME.
+ (schultz)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 7.0.34 (markt)" rtext="2012-12-12">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
