Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/tomcat/patches/CVE-2011-3190.patch
author Petr Sumbera <petr.sumbera@oracle.com>
Fri, 02 Sep 2011 06:01:11 -0700
changeset 509 07ee58881cb3
permissions -rw-r--r--
7086335 Problem with utility/apache

--- trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java	2011/08/29 19:45:13	1162958
+++ trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java	2011/08/29 19:45:42	1162959
@@ -405,11 +405,13 @@
                     }
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
-                    continue;
+                    error = true;
+                    break;
                 }
 
                 keptAlive = true;
@@ -1056,6 +1058,11 @@
 
         finished = true;
 
+        // Swallow the unread body packet if present
+        if (first && request.getContentLengthLong() > 0) {
+            receive();
+        }
+        
         // Add the end message
         if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
             flush();
--- trunk/java/org/apache/coyote/ajp/AjpProcessor.java	2011/08/29 19:45:13	1162958
+++ trunk/java/org/apache/coyote/ajp/AjpProcessor.java	2011/08/29 19:45:42	1162959
@@ -423,11 +423,13 @@
                     }
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
-                    continue;
+                    error = true;
+                    break;
                 }
 
                 request.setStartTime(System.currentTimeMillis());
@@ -1061,6 +1063,11 @@
 
         finished = true;
 
+        // Swallow the unread body packet if present
+        if (first && request.getContentLengthLong() > 0) {
+            receive();
+        }
+        
         // Add the end message
         output.write(endMessageArray);
 
--- trunk/webapps/docs/changelog.xml	2011/08/29 19:45:13	1162958
+++ trunk/webapps/docs/changelog.xml	2011/08/29 19:45:42	1162959
@@ -52,6 +52,14 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.
+        (markt)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 6.0.33 (jfclere)" rtext="released 2011-08-18">
   <subsection name="Catalina">
upstream/oracle/userland-gate