Author: markt
Date: Thu Feb 6 11:08:00 2014
New Revision: 1565163
URL: http://svn.apache.org/r1565163
Log:
Fix CVE-2014-0050 DoS with malformed Content-Type header and multipart request
processing.
Update to latest code (r1565159) from Commons FileUpload
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/ (props changed)
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
tomcat/trunk/webapps/docs/changelog.xml
Propchange: tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/
------------------------------------------------------------------------------
Merged
/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload:r1513135-1565159
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java?rev=1565163&r1=1565162&r2=1565163&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
Thu Feb 6 11:08:00 2014
@@ -799,7 +799,7 @@ public abstract class FileUploadBase {
||
(!contentType.toLowerCase(Locale.ENGLISH).startsWith(MULTIPART))) {
throw new InvalidContentTypeException(String.format(
"the request doesn't contain a %s or %s stream,
content type header is %s",
- MULTIPART_FORM_DATA, MULTIPART_FORM_DATA,
contentType));
+ MULTIPART_FORM_DATA, MULTIPART_MIXED, contentType));
}
InputStream input = ctx.getInputStream();
@@ -810,8 +810,7 @@ public abstract class FileUploadBase {
if (requestSize != -1 && requestSize > sizeMax) {
throw new SizeLimitExceededException(String.format(
"the request was rejected because its size (%s)
exceeds the configured maximum (%s)",
- Long.valueOf(requestSize),
- Long.valueOf(sizeMax)),
+ Long.valueOf(requestSize), Long.valueOf(sizeMax)),
requestSize, sizeMax);
}
input = new LimitedInputStream(input, sizeMax) {
@@ -838,7 +837,13 @@ public abstract class FileUploadBase {
}
notifier = new MultipartStream.ProgressNotifier(listener,
requestSize);
- multi = new MultipartStream(input, boundary, notifier);
+ try {
+ multi = new MultipartStream(input, boundary, notifier);
+ } catch (IllegalArgumentException iae) {
+ throw new InvalidContentTypeException(String.format(
+ "The boundary specified in the %s header is too long",
+ CONTENT_TYPE), iae);
+ }
multi.setHeaderEncoding(charEncoding);
skipPreamble = true;
@@ -1016,7 +1021,7 @@ public abstract class FileUploadBase {
* detail message.
*/
public InvalidContentTypeException() {
- // Nothing to do.
+ super();
}
/**
@@ -1029,6 +1034,9 @@ public abstract class FileUploadBase {
super(message);
}
+ public InvalidContentTypeException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
}
/**
Modified:
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java?rev=1565163&r1=1565162&r2=1565163&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
Thu Feb 6 11:08:00 2014
@@ -276,8 +276,7 @@ public class MultipartStream {
* @param pNotifier The notifier, which is used for calling the
* progress listener, if any.
*
- * @see #MultipartStream(InputStream, byte[],
- * MultipartStream.ProgressNotifier)
+ * @throws IllegalArgumentException If the buffer size is too small
*/
public MultipartStream(InputStream input,
byte[] boundary,
@@ -290,9 +289,14 @@ public class MultipartStream {
// We prepend CR/LF to the boundary to chop trailing CR/LF from
// body-data tokens.
- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+ if (bufSize < this.boundaryLength + 1) {
+ throw new IllegalArgumentException(
+ "The buffer size specified for the MultipartStream is too
small");
+ }
+ this.boundary = new byte[this.boundaryLength];
this.keepRegion = this.boundary.length;
+
System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
BOUNDARY_PREFIX.length);
System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length,
@@ -311,8 +315,7 @@ public class MultipartStream {
* @param pNotifier An object for calling the progress listener, if any.
*
*
- * @see #MultipartStream(InputStream, byte[], int,
- * MultipartStream.ProgressNotifier)
+ * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier)
*/
MultipartStream(InputStream input,
byte[] boundary,
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1565163&r1=1565162&r2=1565163&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Feb 6 11:08:00 2014
@@ -106,6 +106,11 @@
<update>
Update Commons DBCP 2 to snapshot 164 dated 04 Feb 2014. (markt)
</update>
+ <fix>
+ Fix CVE-2014-0050, a denial of service with a malicious, malformed
+ Content-Type header and multipart request processing. Fixed by merging
+ latest code (r1565159) from Commons FileUpload. (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
