1 --- trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java	2011/08/29 19:45:13	1162958

     2 +++ trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java	2011/08/29 19:45:42	1162959

     3 @@ -405,11 +405,13 @@

     4                      }

     5                      continue;

     6                  } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {

     7 -                    // Usually the servlet didn't read the previous request body

     8 -                    if(log.isDebugEnabled()) {

     9 -                        log.debug("Unexpected message: "+type);

    10 +                    // Unexpected packet type. Unread body packets should have

    11 +                    // been swallowed in finish().

    12 +                    if (log.isDebugEnabled()) {

    13 +                        log.debug("Unexpected message: " + type);

    14                      }

    15 -                    continue;

    16 +                    error = true;

    17 +                    break;

    18                  }

    19  

    20                  keptAlive = true;

    21 @@ -1056,6 +1058,11 @@

    22  

    23          finished = true;

    24  

    25 +        // Swallow the unread body packet if present

    26 +        if (first && request.getContentLengthLong() > 0) {

    27 +            receive();

    28 +        }

    29 +        

    30          // Add the end message

    31          if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {

    32              flush();

    33 --- trunk/java/org/apache/coyote/ajp/AjpProcessor.java	2011/08/29 19:45:13	1162958

    34 +++ trunk/java/org/apache/coyote/ajp/AjpProcessor.java	2011/08/29 19:45:42	1162959

    35 @@ -423,11 +423,13 @@

    36                      }

    37                      continue;

    38                  } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {

    39 -                    // Usually the servlet didn't read the previous request body

    40 -                    if(log.isDebugEnabled()) {

    41 -                        log.debug("Unexpected message: "+type);

    42 +                    // Unexpected packet type. Unread body packets should have

    43 +                    // been swallowed in finish().

    44 +                    if (log.isDebugEnabled()) {

    45 +                        log.debug("Unexpected message: " + type);

    46                      }

    47 -                    continue;

    48 +                    error = true;

    49 +                    break;

    50                  }

    51  

    52                  request.setStartTime(System.currentTimeMillis());

    53 @@ -1061,6 +1063,11 @@

    54  

    55          finished = true;

    56  

    57 +        // Swallow the unread body packet if present

    58 +        if (first && request.getContentLengthLong() > 0) {

    59 +            receive();

    60 +        }

    61 +        

    62          // Add the end message

    63          output.write(endMessageArray);

    64  

    65 --- trunk/webapps/docs/changelog.xml	2011/08/29 19:45:13	1162958

    66 +++ trunk/webapps/docs/changelog.xml	2011/08/29 19:45:42	1162959

    67 @@ -52,6 +52,14 @@

    68        </fix>

    69      </changelog>

    70    </subsection>

    71 +  <subsection name="Coyote">

    72 +    <changelog>

    73 +      <fix>

    74 +        <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.

    75 +        (markt)

    76 +      </fix>

    77 +    </changelog>

    78 +  </subsection>

    79  </section>

    80  <section name="Tomcat 6.0.33 (jfclere)" rtext="released 2011-08-18">

    81    <subsection name="Catalina">