1 --- trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011/08/29 19:45:13 1162958 |
|
2 +++ trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011/08/29 19:45:42 1162959 |
|
3 @@ -405,11 +405,13 @@ |
|
4 } |
|
5 continue; |
|
6 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { |
|
7 - // Usually the servlet didn't read the previous request body |
|
8 - if(log.isDebugEnabled()) { |
|
9 - log.debug("Unexpected message: "+type); |
|
10 + // Unexpected packet type. Unread body packets should have |
|
11 + // been swallowed in finish(). |
|
12 + if (log.isDebugEnabled()) { |
|
13 + log.debug("Unexpected message: " + type); |
|
14 } |
|
15 - continue; |
|
16 + error = true; |
|
17 + break; |
|
18 } |
|
19 |
|
20 keptAlive = true; |
|
21 @@ -1056,6 +1058,11 @@ |
|
22 |
|
23 finished = true; |
|
24 |
|
25 + // Swallow the unread body packet if present |
|
26 + if (first && request.getContentLengthLong() > 0) { |
|
27 + receive(); |
|
28 + } |
|
29 + |
|
30 // Add the end message |
|
31 if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) { |
|
32 flush(); |
|
33 --- trunk/java/org/apache/coyote/ajp/AjpProcessor.java 2011/08/29 19:45:13 1162958 |
|
34 +++ trunk/java/org/apache/coyote/ajp/AjpProcessor.java 2011/08/29 19:45:42 1162959 |
|
35 @@ -423,11 +423,13 @@ |
|
36 } |
|
37 continue; |
|
38 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { |
|
39 - // Usually the servlet didn't read the previous request body |
|
40 - if(log.isDebugEnabled()) { |
|
41 - log.debug("Unexpected message: "+type); |
|
42 + // Unexpected packet type. Unread body packets should have |
|
43 + // been swallowed in finish(). |
|
44 + if (log.isDebugEnabled()) { |
|
45 + log.debug("Unexpected message: " + type); |
|
46 } |
|
47 - continue; |
|
48 + error = true; |
|
49 + break; |
|
50 } |
|
51 |
|
52 request.setStartTime(System.currentTimeMillis()); |
|
53 @@ -1061,6 +1063,11 @@ |
|
54 |
|
55 finished = true; |
|
56 |
|
57 + // Swallow the unread body packet if present |
|
58 + if (first && request.getContentLengthLong() > 0) { |
|
59 + receive(); |
|
60 + } |
|
61 + |
|
62 // Add the end message |
|
63 output.write(endMessageArray); |
|
64 |
|
65 --- trunk/webapps/docs/changelog.xml 2011/08/29 19:45:13 1162958 |
|
66 +++ trunk/webapps/docs/changelog.xml 2011/08/29 19:45:42 1162959 |
|
67 @@ -52,6 +52,14 @@ |
|
68 </fix> |
|
69 </changelog> |
|
70 </subsection> |
|
71 + <subsection name="Coyote"> |
|
72 + <changelog> |
|
73 + <fix> |
|
74 + <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection. |
|
75 + (markt) |
|
76 + </fix> |
|
77 + </changelog> |
|
78 + </subsection> |
|
79 </section> |
|
80 <section name="Tomcat 6.0.33 (jfclere)" rtext="released 2011-08-18"> |
|
81 <subsection name="Catalina"> |
|