Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 152992 Details for
Bug 237079
CVE-2005-2090 tomcat multiple content-length header poisioning
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
the proposed patch
cve-2005-2090.patch (text/plain), 3.71 KB, created by
Mark J. Cox
on 2007-04-19 11:53:21 UTC
(
hide
)
Description:
the proposed patch
Filename:
MIME Type:
Creator:
Mark J. Cox
Created:
2007-04-19 11:53:21 UTC
Size:
3.71 KB
patch
obsolete
>Index: src/java/org/apache/coyote/http11/Constants.java >=================================================================== >--- src/java/org/apache/coyote/http11/Constants.java (revision 511333) >+++ src/java/org/apache/coyote/http11/Constants.java (working copy) >@@ -129,6 +129,10 @@ > public static final String CLOSE = "close"; > public static final byte[] CLOSE_BYTES = > ByteChunk.convertToBytes(CLOSE); >+ public static final String CONTENTLENGTH = "content-length"; >+ public static final byte[] CONTENTLENGTH_BYTES = >+ ByteChunk.convertToBytes(CONTENTLENGTH); >+ public static final int CONTENTLENGTH_SIZE = >CONTENTLENGTH_BYTES.length; > public static final String KEEPALIVE = "keep-alive"; > public static final byte[] KEEPALIVE_BYTES = > ByteChunk.convertToBytes(KEEPALIVE); >Index: src/java/org/apache/coyote/http11/InternalInputBuffer.java >=================================================================== >--- src/java/org/apache/coyote/http11/InternalInputBuffer.java >(revision 511333) >+++ src/java/org/apache/coyote/http11/InternalInputBuffer.java >(working copy) >@@ -77,6 +77,8 @@ > > parsingHeader = true; > swallowInput = true; >+ >+ contentLengthHeaderPresent = false; > > } > >@@ -107,6 +109,11 @@ > > > /** >+ * Has a content length header been set? >+ */ >+ protected boolean contentLengthHeaderPresent; >+ >+ /** > * State. > */ > protected boolean parsingHeader; >@@ -312,6 +319,7 @@ > lastActiveFilter = -1; > parsingHeader = true; > swallowInput = true; >+ contentLengthHeaderPresent = false; > > } > >@@ -353,6 +361,7 @@ > lastActiveFilter = -1; > parsingHeader = true; > swallowInput = true; >+ contentLengthHeaderPresent = false; > > } > >@@ -595,6 +604,14 @@ > if (buf[pos] == Constants.COLON) { > colon = true; > headerValue = headers.addValue(ascbuf, start, pos - >start); >+ if (isContentLengthHeader(ascbuf, start, pos - start)) { >+ if (contentLengthHeaderPresent) { >+ throw new IllegalArgumentException( >+ >sm.getString("iib.multipleContentLength")); >+ } else { >+ contentLengthHeaderPresent = true; >+ } >+ } > } > chr = buf[pos]; > if ((chr >= Constants.A) && (chr <= Constants.Z)) { >@@ -698,6 +715,24 @@ > } > > >+ protected boolean isContentLengthHeader(char[] buf, int start, >int len) { >+ // Do a quick length check first >+ if (len != Constants.CONTENTLENGTH_SIZE) { >+ return false; >+ } >+ >+ // It's the right length, do a charater by character test >+ // header names are stored in lower case >+ int pos = 0; >+ while (pos < Constants.CONTENTLENGTH_SIZE) { >+ if (buf[start + pos] != Constants.CONTENTLENGTH_BYTES[pos]) { >+ return false; >+ } >+ pos ++; >+ } >+ return true; >+ } >+ > // ---------------------------------------------------- >InputBuffer Methods > > >Index: src/java/org/apache/coyote/http11/LocalStrings.properties >=================================================================== >--- src/java/org/apache/coyote/http11/LocalStrings.properties >(revision 511333) >+++ src/java/org/apache/coyote/http11/LocalStrings.properties (working >copy) >@@ -48,5 +48,5 @@ > > iib.eof.error=Unexpected EOF read on the socket > iib.failedread=Exception filling buffer with data from underlying >input stream: not an EAGAIN status, so perhaps disconnected client? >+iib.multipleContentLength=Multiple content length headers were >detected in the request > iib.requestheadertoolarge.error=Request header is too large >- > > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=152992">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 237079
: 152992