7086335 Problem with utility/apache
authorPetr Sumbera <petr.sumbera@oracle.com>
Fri, 02 Sep 2011 06:01:11 -0700
changeset 509 07ee58881cb3
parent 508 0155ab6903f2
child 510 53bd319b010e
7086335 Problem with utility/apache
components/tomcat/patches/CVE-2011-3190.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/tomcat/patches/CVE-2011-3190.patch	Fri Sep 02 06:01:11 2011 -0700
@@ -0,0 +1,81 @@
+--- trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java	2011/08/29 19:45:13	1162958
++++ trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java	2011/08/29 19:45:42	1162959
[email protected]@ -405,11 +405,13 @@
+                     }
+                     continue;
+                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+-                    // Usually the servlet didn't read the previous request body
+-                    if(log.isDebugEnabled()) {
+-                        log.debug("Unexpected message: "+type);
++                    // Unexpected packet type. Unread body packets should have
++                    // been swallowed in finish().
++                    if (log.isDebugEnabled()) {
++                        log.debug("Unexpected message: " + type);
+                     }
+-                    continue;
++                    error = true;
++                    break;
+                 }
+ 
+                 keptAlive = true;
[email protected]@ -1056,6 +1058,11 @@
+ 
+         finished = true;
+ 
++        // Swallow the unread body packet if present
++        if (first && request.getContentLengthLong() > 0) {
++            receive();
++        }
++        
+         // Add the end message
+         if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
+             flush();
+--- trunk/java/org/apache/coyote/ajp/AjpProcessor.java	2011/08/29 19:45:13	1162958
++++ trunk/java/org/apache/coyote/ajp/AjpProcessor.java	2011/08/29 19:45:42	1162959
[email protected]@ -423,11 +423,13 @@
+                     }
+                     continue;
+                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
+-                    // Usually the servlet didn't read the previous request body
+-                    if(log.isDebugEnabled()) {
+-                        log.debug("Unexpected message: "+type);
++                    // Unexpected packet type. Unread body packets should have
++                    // been swallowed in finish().
++                    if (log.isDebugEnabled()) {
++                        log.debug("Unexpected message: " + type);
+                     }
+-                    continue;
++                    error = true;
++                    break;
+                 }
+ 
+                 request.setStartTime(System.currentTimeMillis());
[email protected]@ -1061,6 +1063,11 @@
+ 
+         finished = true;
+ 
++        // Swallow the unread body packet if present
++        if (first && request.getContentLengthLong() > 0) {
++            receive();
++        }
++        
+         // Add the end message
+         output.write(endMessageArray);
+ 
+--- trunk/webapps/docs/changelog.xml	2011/08/29 19:45:13	1162958
++++ trunk/webapps/docs/changelog.xml	2011/08/29 19:45:42	1162959
[email protected]@ -52,6 +52,14 @@
+       </fix>
+     </changelog>
+   </subsection>
++  <subsection name="Coyote">
++    <changelog>
++      <fix>
++        <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.
++        (markt)
++      </fix>
++    </changelog>
++  </subsection>
+ </section>
+ <section name="Tomcat 6.0.33 (jfclere)" rtext="released 2011-08-18">
+   <subsection name="Catalina">