Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:11.4:Update
jetty5
jetty-hashDOS.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File jetty-hashDOS.patch of Package jetty5
Index: jetty-5.1.14/src/org/mortbay/http/HttpRequest.java =================================================================== --- jetty-5.1.14.orig/src/org/mortbay/http/HttpRequest.java 2006-11-23 09:56:52.000000000 +0100 +++ jetty-5.1.14/src/org/mortbay/http/HttpRequest.java 2012-02-10 14:07:03.942175496 +0100 @@ -80,6 +80,14 @@ /* ------------------------------------------------------------ */ /** + * Maximum number of form Keys to protect against DOS attack from crafted hash keys. + * Set via the org.eclipse.jetty.server.Request.maxFormKeys + */ + private static int __maxFormKeys = Integer.getInteger( + "org.eclipse.jetty.server.Request.maxFormKeys",1000).intValue(); + + /* ------------------------------------------------------------ */ + /** * Maximum header line length. */ public static int __maxLineLength = 4096; @@ -891,7 +899,7 @@ throw new IllegalStateException("Form too large"); // Add form params to query params - UrlEncoded.decodeTo(bout.getBuf(), 0, bout.getCount(), _parameters,encoding); + UrlEncoded.decodeTo(bout.getBuf(), 0, bout.getCount(), _parameters, encoding, __maxFormKeys); } catch (EOFException e) { Index: jetty-5.1.14/src/org/mortbay/util/UrlEncoded.java =================================================================== --- jetty-5.1.14.orig/src/org/mortbay/util/UrlEncoded.java 2005-12-22 00:14:38.000000000 +0100 +++ jetty-5.1.14/src/org/mortbay/util/UrlEncoded.java 2012-02-10 14:09:59.119192395 +0100 @@ -71,13 +71,13 @@ /* ----------------------------------------------------------------- */ public void decode(String query) { - decodeTo(query,this,StringUtil.__ISO_8859_1); + decodeTo(query,this,StringUtil.__ISO_8859_1,-1); } /* ----------------------------------------------------------------- */ public void decode(String query,String charset) { - decodeTo(query,this,charset); + decodeTo(query,this,charset,-1); } /* -------------------------------------------------------------- */ @@ -162,10 +162,8 @@ */ public static void decodeTo(String content,MultiMap map) { - decodeTo(content,map,StringUtil.__ISO_8859_1); + decodeTo(content,map,StringUtil.__ISO_8859_1,-1); } - - /* -------------------------------------------------------------- */ /** Decoded parameters to Map. @@ -173,6 +171,15 @@ */ public static void decodeTo(String content, MultiMap map, String charset) { + decodeTo(content,map,charset, -1); + } + + /* -------------------------------------------------------------- */ + /** Decoded parameters to Map. + * @param content the string containing the encoded parameters + */ + public static void decodeTo(String content, MultiMap map, String charset, int maxKeys) + { if (charset==null) charset=StringUtil.__ISO_8859_1; @@ -199,6 +206,11 @@ map.add(key,value); key = null; } + if (maxKeys>0 && map.size()>maxKeys) + { + log.warn("maxFormKeys limit exceeded keys>" + Integer.valueOf(maxKeys)); + return; + } break; case '=': if (key!=null) @@ -239,7 +251,7 @@ /** Decoded parameters to Map. * @param data the byte[] containing the encoded parameters */ - public static void decodeTo(byte[] data, int offset, int length, MultiMap map, String charset) + public static void decodeTo(byte[] data, int offset, int length, MultiMap map, String charset, int maxKeys) { if (data == null || length == 0) return; @@ -269,6 +281,11 @@ key = null; } ox = offset; + if (maxKeys>0 && map.size()>maxKeys) + { + log.warn("maxFormKeys limit exceeded keys>" + Integer.valueOf(maxKeys)); + return; + } break; case '=': if (key!=null)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor