Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:Update
tomcat.32131
tomcat-9.0.36-CVE-2023-45648.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-9.0.36-CVE-2023-45648.patch of Package tomcat.32131
From 59583245639d8c42ae0009f4a4a70464d3ea70a0 Mon Sep 17 00:00:00 2001 From: Mark Thomas <markt@apache.org> Date: Thu, 5 Oct 2023 20:51:48 +0100 Subject: [PATCH] Align processing of trailer headers with standard processing --- .../apache/coyote/http11/Http11InputBuffer.java | 8 +++++++- .../coyote/http11/filters/ChunkedInputFilter.java | 15 ++++++++++++++- .../coyote/http11/filters/LocalStrings.properties | 2 ++ webapps/docs/changelog.xml | 3 +++ 4 files changed, 26 insertions(+), 2 deletions(-) Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http11/Http11InputBuffer.java =================================================================== --- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http11/Http11InputBuffer.java +++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http11/Http11InputBuffer.java @@ -802,6 +802,12 @@ public class Http11InputBuffer implement */ private HeaderParseStatus parseHeader() throws IOException { + /* + * Implementation note: Any changes to this method probably need to be echoed in + * ChunkedInputFilter.parseHeader(). Why not use a common implementation? In short, this code uses non-blocking + * reads whereas ChunkedInputFilter using blocking reads. The code is just different enough that a common + * implementation wasn't viewed as practical. + */ while (headerParsePos == HeaderParsePosition.HEADER_START) { // Read new bytes if needed @@ -934,7 +940,7 @@ public class Http11InputBuffer implement } else if (prevChr == Constants.CR) { // Invalid value - also need to delete header return skipLine(true); - } else if (chr != Constants.HT && HttpParser.isControl(chr)) { + } else if (HttpParser.isControl(chr) && chr != Constants.HT) { // Invalid value - also need to delete header return skipLine(true); } else if (chr == Constants.SP || chr == Constants.HT) { Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java =================================================================== --- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java +++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java @@ -31,6 +31,7 @@ import org.apache.coyote.http11.Constant import org.apache.coyote.http11.InputFilter; import org.apache.tomcat.util.buf.ByteChunk; import org.apache.tomcat.util.buf.HexUtils; +import org.apache.tomcat.util.http.parser.HttpParser; import org.apache.tomcat.util.net.ApplicationBufferHandler; import org.apache.tomcat.util.res.StringManager; @@ -435,6 +436,13 @@ public class ChunkedInputFilter implemen private boolean parseHeader() throws IOException { + /* + * Implementation note: Any changes to this method probably need to be echoed in + * Http11InputBuffer.parseHeader(). Why not use a common implementation? In short, this code uses blocking + * reads whereas Http11InputBuffer using non-blocking reads. The code is just different enough that a common + * implementation wasn't viewed as practical. + */ + Map<String,String> headers = request.getTrailerFields(); byte chr = 0; @@ -481,6 +489,9 @@ public class ChunkedInputFilter implemen if (chr == Constants.COLON) { colon = true; + } else if (!HttpParser.isToken(chr)) { + // Non-token characters are illegal in header names + throw new IOException(sm.getString("chunkedInputFilter.invalidTrailerHeaderName")); } else { trailingHeaders.append(chr); } @@ -542,7 +553,9 @@ public class ChunkedInputFilter implemen if (chr == Constants.CR || chr == Constants.LF) { parseCRLF(true); eol = true; - } else if (chr == Constants.SP) { + } else if (HttpParser.isControl(chr) && chr != Constants.HT) { + throw new IOException(sm.getString("chunkedInputFilter.invalidTrailerHeaderValue")); + } else if (chr == Constants.SP || chr == Constants.HT) { trailingHeaders.append(chr); } else { trailingHeaders.append(chr); Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http11/filters/LocalStrings.properties =================================================================== --- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http11/filters/LocalStrings.properties +++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http11/filters/LocalStrings.properties @@ -21,6 +21,8 @@ chunkedInputFilter.invalidCrlfCRCR=Inval chunkedInputFilter.invalidCrlfNoCR=Invalid end of line sequence (No CR before LF) chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read) chunkedInputFilter.invalidHeader=Invalid chunk header +chunkedInputFilter.invalidTrailerHeaderName=Invalid trailer header name (non-token character in name) +chunkedInputFilter.invalidTrailerHeaderValue=Invalid trailer header value (control character in value) chunkedInputFilter.maxExtension=maxExtensionSize exceeded chunkedInputFilter.maxTrailer=maxTrailerSize exceeded Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml @@ -147,6 +147,9 @@ malformed <code>content-length</code> header should always be rejected with a 400 response. (markt) </fix> + <fix> + Align validation of HTTP trailer fields with standard fields. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper">
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor