File netty3-CVE-2024-29025.patch of Package netty3

Overview Repositories Revisions Requests Users Attributes Meta

File netty3-CVE-2024-29025.patch of Package netty3

--- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostMultipartRequestDecoder.java	2016-06-29 14:41:47.000000000 +0200
+++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostMultipartRequestDecoder.java	2024-07-04 12:42:30.682137342 +0200
@@ -53,6 +53,16 @@
     private final HttpRequest request;
 
     /**
+     * The maximum number of fields allows by the form
+     */
+    private final int maxFields;
+
+    /**
+     * The maximum number of accumulated bytes when decoding a field
+     */
+    private final int maxBufferedBytes;
+
+    /**
      * Default charset to use
      */
     private Charset charset;
@@ -147,6 +157,23 @@
      */
     public HttpPostMultipartRequestDecoder(HttpDataFactory factory, HttpRequest request,
             Charset charset) throws ErrorDataDecoderException {
+        this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS, HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES);
+    }
+
+    /**
+     *
+     * @param factory the factory used to create InterfaceHttpData
+     * @param request the request to decode
+     * @param charset the charset to use as default
+     * @param maxFields
+     *            the maximum number of fields the form can have, {@code -1} to disable
+     * @param maxBufferedBytes
+     *            the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable
+     * @throws NullPointerException for request or charset or factory
+     * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors
+     */
+    public HttpPostMultipartRequestDecoder(HttpDataFactory factory, HttpRequest request,
+        Charset charset, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException {
         if (factory == null) {
             throw new NullPointerException("factory");
         }
@@ -159,6 +186,8 @@
         this.request = request;
         this.charset = charset;
         this.factory = factory;
+        this.maxFields = maxFields;
+        this.maxBufferedBytes = maxBufferedBytes;
         // Fill default values
         setMultipart(this.request.headers().get(HttpHeaders.Names.CONTENT_TYPE));
         if (!this.request.isChunked()) {
@@ -230,6 +259,9 @@
             isLastChunk = true;
         }
         parseBody();
+        if (maxBufferedBytes > 0 && undecodedChunk != null && undecodedChunk.readableBytes() > maxBufferedBytes) {
+            throw new ErrorDataDecoderException();
+        }
     }
 
     public boolean hasNext() throws EndOfDataDecoderException {
@@ -268,10 +300,13 @@
     /**
      * Utility function to add a new decoded data
      */
-    private void addHttpData(InterfaceHttpData data) {
+    private void addHttpData(InterfaceHttpData data) throws ErrorDataDecoderException {
         if (data == null) {
             return;
         }
+        if (maxFields > 0 && bodyListHttpData.size() >= maxFields) {
+            throw new ErrorDataDecoderException();
+        }
         List<InterfaceHttpData> datas = bodyMapHttpData.get(data.getName());
         if (datas == null) {
             datas = new ArrayList<InterfaceHttpData>(1);
--- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostRequestDecoder.java	2016-06-29 14:41:47.000000000 +0200
+++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostRequestDecoder.java	2024-07-04 12:27:23.372964684 +0200
@@ -28,6 +28,11 @@
  * This decoder will decode Body and can handle POST BODY (both multipart and standard).
  */
 public class HttpPostRequestDecoder implements InterfaceHttpPostRequestDecoder {
+ 
+    static final int DEFAULT_MAX_FIELDS = 128;
+
+    static final int DEFAULT_MAX_BUFFERED_BYTES = 1024;
+
     /**
      * Does this request is a Multipart request
      */
@@ -58,6 +63,25 @@
 
     /**
      *
+     * @param request
+     *            the request to decode
+     * @param maxFields
+     *            the maximum number of fields the form can have, {@code -1} to disable
+     * @param maxBufferedBytes
+     *            the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable
+     * @throws NullPointerException
+     *             for request
+     * @throws ErrorDataDecoderException
+     *             if the default charset was wrong when decoding or other
+     *             errors
+     */
+    public HttpPostRequestDecoder(HttpRequest request, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException {
+        this(new DefaultHttpDataFactory(DefaultHttpDataFactory.MINSIZE), request, HttpConstants.DEFAULT_CHARSET,
+             maxFields, maxBufferedBytes);
+    }
+
+    /**
+     *
      * @param factory the factory used to create InterfaceHttpData
      * @param request the request to decode
      * @param charset the charset to use as default
@@ -66,6 +90,23 @@
      */
     public HttpPostRequestDecoder(HttpDataFactory factory, HttpRequest request,
             Charset charset) throws ErrorDataDecoderException {
+        this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS,
+            HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES);
+    }
+
+    /**
+     *
+     * @param factory the factory used to create InterfaceHttpData
+     * @param request the request to decode
+     * @param charset the charset to use as default
+     * @param maxFields the maximum number of fields the form can have, {@code -1} to disable
+     * @param maxBufferedBytes
+     *            the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable
+     * @throws NullPointerException for request or charset or factory
+     * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors
+     */
+    public HttpPostRequestDecoder(HttpDataFactory factory, HttpRequest request, Charset charset,
+            int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException {
         if (factory == null) {
             throw new NullPointerException("factory");
         }
@@ -77,9 +118,9 @@
         }
         // Fill default values
         if (isMultipart(request)) {
-            decoder = new HttpPostMultipartRequestDecoder(factory, request, charset);
+            decoder = new HttpPostMultipartRequestDecoder(factory, request, charset, maxFields, maxBufferedBytes);
         } else {
-            decoder = new HttpPostStandardRequestDecoder(factory, request, charset);
+            decoder = new HttpPostStandardRequestDecoder(factory, request, charset, maxFields, maxBufferedBytes);
         }
     }
 
--- a/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostStandardRequestDecoder.java	2016-06-29 14:41:47.000000000 +0200
+++ b/src/main/java/org/jboss/netty/handler/codec/http/multipart/HttpPostStandardRequestDecoder.java	2024-07-04 12:39:27.134939191 +0200
@@ -57,6 +57,16 @@
     private final Charset charset;
 
     /**
+     * The maximum number of fields allows by the form
+     */
+    private final int maxFields;
+
+    /**
+     * The maximum number of accumulated bytes when decoding a field
+     */
+    private final int maxBufferedBytes;
+
+    /**
      * Does the last chunk already received
      */
     private boolean isLastChunk;
@@ -125,6 +135,21 @@
      */
     public HttpPostStandardRequestDecoder(HttpDataFactory factory, HttpRequest request,
             Charset charset) throws ErrorDataDecoderException {
+        this(factory, request, charset, HttpPostRequestDecoder.DEFAULT_MAX_FIELDS, HttpPostRequestDecoder.DEFAULT_MAX_BUFFERED_BYTES);
+    }
+
+    /**
+     *
+     * @param factory the factory used to create InterfaceHttpData
+     * @param request the request to decode
+     * @param charset the charset to use as default
+     * @param maxFields the maximum number of fields the form can have, {@code -1} to disable
+     * @param maxBufferedBytes the maximum number of bytes the decoder can buffer when decoding a field, {@code -1} to disable
+     * @throws NullPointerException for request or charset or factory
+     * @throws ErrorDataDecoderException if the default charset was wrong when decoding or other errors
+     */
+    public HttpPostStandardRequestDecoder(HttpDataFactory factory, HttpRequest request,
+            Charset charset, int maxFields, int maxBufferedBytes) throws ErrorDataDecoderException {
         if (factory == null) {
             throw new NullPointerException("factory");
         }
@@ -137,6 +162,8 @@
         this.request = request;
         this.charset = charset;
         this.factory = factory;
+        this.maxFields = maxFields;
+        this.maxBufferedBytes = maxBufferedBytes;
         if (!this.request.isChunked()) {
             undecodedChunk = this.request.getContent();
             isLastChunk = true;
@@ -190,6 +217,9 @@
             isLastChunk = true;
         }
         parseBody();
+        if (maxBufferedBytes > 0 && undecodedChunk != null && undecodedChunk.readableBytes() > maxBufferedBytes) {
+            throw new ErrorDataDecoderException();
+        }
     }
 
     public boolean hasNext() throws EndOfDataDecoderException {
@@ -228,10 +258,13 @@
     /**
      * Utility function to add a new decoded data
      */
-    private void addHttpData(InterfaceHttpData data) {
+    private void addHttpData(InterfaceHttpData data) throws ErrorDataDecoderException {
         if (data == null) {
             return;
         }
+        if (maxFields > 0 && bodyListHttpData.size() >= maxFields) {
+            throw new ErrorDataDecoderException();
+        }
         List<InterfaceHttpData> datas = bodyMapHttpData.get(data.getName());
         if (datas == null) {
             datas = new ArrayList<InterfaceHttpData>(1);

Places

File netty3-CVE-2024-29025.patch of Package netty3

Places