|
 |
1af9a1 |
--- java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java.orig 2014-03-17 18:30:01.467636000 -0400
|
|
|
1af9a1 |
+++ java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java 2014-03-17 18:37:43.992207000 -0400
|
|
|
1af9a1 |
@@ -805,7 +805,7 @@
|
|
|
1af9a1 |
|| (!contentType.toLowerCase(Locale.ENGLISH).startsWith(MULTIPART))) {
|
|
|
1af9a1 |
throw new InvalidContentTypeException(String.format(
|
|
|
1af9a1 |
"the request doesn't contain a %s or %s stream, content type header is %s",
|
|
|
1af9a1 |
- MULTIPART_FORM_DATA, MULTIPART_FORM_DATA, contentType));
|
|
|
1af9a1 |
+ MULTIPART_FORM_DATA, MULTIPART_MIXED, contentType));
|
|
|
1af9a1 |
}
|
|
|
1af9a1 |
|
|
|
1af9a1 |
InputStream input = ctx.getInputStream();
|
|
|
1af9a1 |
@@ -816,8 +816,7 @@
|
|
|
1af9a1 |
if (requestSize != -1 && requestSize > sizeMax) {
|
|
|
1af9a1 |
throw new SizeLimitExceededException(String.format(
|
|
|
1af9a1 |
"the request was rejected because its size (%s) exceeds the configured maximum (%s)",
|
|
|
1af9a1 |
- Long.valueOf(requestSize),
|
|
|
1af9a1 |
- Long.valueOf(sizeMax)),
|
|
|
1af9a1 |
+ Long.valueOf(requestSize), Long.valueOf(sizeMax)),
|
|
|
1af9a1 |
requestSize, sizeMax);
|
|
|
1af9a1 |
}
|
|
|
1af9a1 |
input = new LimitedInputStream(input, sizeMax) {
|
|
|
1af9a1 |
@@ -844,7 +843,14 @@
|
|
|
1af9a1 |
}
|
|
|
1af9a1 |
|
|
|
1af9a1 |
notifier = new MultipartStream.ProgressNotifier(listener, requestSize);
|
|
|
1af9a1 |
- multi = new MultipartStream(input, boundary, notifier);
|
|
|
1af9a1 |
+ try {
|
|
|
1af9a1 |
+ multi = new MultipartStream(input, boundary, notifier);
|
|
|
1af9a1 |
+ } catch (IllegalArgumentException iae) {
|
|
|
1af9a1 |
+ throw new InvalidContentTypeException(String.format(
|
|
|
1af9a1 |
+ "The boundary specified in the %s header is too long",
|
|
|
1af9a1 |
+ CONTENT_TYPE), iae);
|
|
|
1af9a1 |
+ }
|
|
|
1af9a1 |
+
|
|
|
1af9a1 |
multi.setHeaderEncoding(charEncoding);
|
|
|
1af9a1 |
|
|
|
1af9a1 |
skipPreamble = true;
|
|
|
1af9a1 |
@@ -1022,7 +1028,7 @@
|
|
|
1af9a1 |
* detail message.
|
|
|
1af9a1 |
*/
|
|
|
1af9a1 |
public InvalidContentTypeException() {
|
|
|
1af9a1 |
- // Nothing to do.
|
|
|
1af9a1 |
+ super();
|
|
|
1af9a1 |
}
|
|
|
1af9a1 |
|
|
|
1af9a1 |
/**
|
|
|
1af9a1 |
@@ -1035,6 +1041,10 @@
|
|
|
1af9a1 |
super(message);
|
|
|
1af9a1 |
}
|
|
|
1af9a1 |
|
|
|
1af9a1 |
+ public InvalidContentTypeException(String msg, Throwable cause) {
|
|
|
1af9a1 |
+ super(msg, cause);
|
|
|
1af9a1 |
+ }
|
|
|
1af9a1 |
+
|
|
|
1af9a1 |
}
|
|
|
1af9a1 |
|
|
|
1af9a1 |
/**
|
|
|
1af9a1 |
--- java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.orig 2014-03-17 18:30:01.512626000 -0400
|
|
|
73015d |
+++ java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2014-04-16 13:23:35.983099000 -0400
|
|
|
73015d |
@@ -278,10 +278,9 @@
|
|
|
1af9a1 |
* @param pNotifier The notifier, which is used for calling the
|
|
|
1af9a1 |
* progress listener, if any.
|
|
|
1af9a1 |
*
|
|
|
1af9a1 |
- * @see #MultipartStream(InputStream, byte[],
|
|
|
1af9a1 |
- * MultipartStream.ProgressNotifier)
|
|
|
1af9a1 |
+ * @throws IllegalArgumentException If the buffer size is too small
|
|
|
1af9a1 |
*/
|
|
|
73015d |
- MultipartStream(InputStream input,
|
|
|
73015d |
+ public MultipartStream(InputStream input,
|
|
|
1af9a1 |
byte[] boundary,
|
|
|
73015d |
int bufSize,
|
|
|
73015d |
ProgressNotifier pNotifier) {
|
|
|
1af9a1 |
@@ -292,8 +291,12 @@
|
|
|
1af9a1 |
|
|
|
1af9a1 |
// We prepend CR/LF to the boundary to chop trailing CR/LF from
|
|
|
1af9a1 |
// body-data tokens.
|
|
|
1af9a1 |
- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
|
|
|
1af9a1 |
this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
|
|
|
1af9a1 |
+ if (bufSize < this.boundaryLength + 1) {
|
|
|
1af9a1 |
+ throw new IllegalArgumentException(
|
|
|
1af9a1 |
+ "The buffer size specified for the MultipartStream is too small");
|
|
|
1af9a1 |
+ }
|
|
|
1af9a1 |
+ this.boundary = new byte[this.boundaryLength];
|
|
|
1af9a1 |
this.keepRegion = this.boundary.length;
|
|
|
1af9a1 |
System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
|
|
|
1af9a1 |
BOUNDARY_PREFIX.length);
|
|
|
1af9a1 |
@@ -313,8 +316,7 @@
|
|
|
1af9a1 |
* @param pNotifier An object for calling the progress listener, if any.
|
|
|
1af9a1 |
*
|
|
|
1af9a1 |
*
|
|
|
1af9a1 |
- * @see #MultipartStream(InputStream, byte[], int,
|
|
|
1af9a1 |
- * MultipartStream.ProgressNotifier)
|
|
|
1af9a1 |
+ * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier)
|
|
|
1af9a1 |
*/
|
|
|
1af9a1 |
MultipartStream(InputStream input,
|
|
|
1af9a1 |
byte[] boundary,
|
|
|
1af9a1 |
--- webapps/docs/changelog.xml.orig 2014-03-17 18:30:01.569656000 -0400
|
|
|
1af9a1 |
+++ webapps/docs/changelog.xml 2014-03-17 18:44:11.967500000 -0400
|
|
|
1af9a1 |
@@ -59,6 +59,11 @@
|
|
|
1af9a1 |
<subsection name="Catalina">
|
|
|
1af9a1 |
<changelog>
|
|
|
1af9a1 |
<fix>
|
|
|
1af9a1 |
+ Fix CVE-2014-0050, a denial of service with a malicious, malformed
|
|
|
1af9a1 |
+ Content-Type header and multipart request processing. Fixed by merging
|
|
|
1af9a1 |
+ latest code (r1565163) from Commons FileUpload. (markt)
|
|
|
1af9a1 |
+ </fix>
|
|
|
1af9a1 |
+ <fix>
|
|
|
1af9a1 |
Enforce the restriction described in section 4.4 of the Servlet 3.0
|
|
|
1af9a1 |
specification that requires the new pluggability methods only to be
|
|
|
1af9a1 |
available to ServletContextListeners defined in one of the
|