From dc0bbbb8a93ecf1614d3a86b42914d41b7d58d06 Mon Sep 17 00:00:00 2001 From: markt Date: Mon, 29 Aug 2011 19:44:53 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 Fix CVE-2011-3190 Prevent AJP request forgery via unread request body packet git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1162957 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/coyote/ajp/AbstractAjpProcessor.java | 5 +++++ java/org/apache/coyote/ajp/AjpAprProcessor.java | 10 ++++++---- java/org/apache/coyote/ajp/AjpNioProcessor.java | 10 ++++++---- java/org/apache/coyote/ajp/AjpProcessor.java | 11 ++++++----- 4 files changed, 23 insertions(+), 13 deletions(-) diff --git a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java index 39fb0b628..fceefdddf 100644 --- a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java +++ b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java @@ -985,6 +985,11 @@ public abstract class AbstractAjpProcessor extends AbstractProcessor { finished = true; + // Swallow the unread body packet if present + if (first && request.getContentLengthLong() > 0) { + receive(); + } + // Add the end message if (error) { output(endAndCloseMessageArray, 0, endAndCloseMessageArray.length); diff --git a/java/org/apache/coyote/ajp/AjpAprProcessor.java b/java/org/apache/coyote/ajp/AjpAprProcessor.java index 078f2b6ab..d6b0b566e 100644 --- a/java/org/apache/coyote/ajp/AjpAprProcessor.java +++ b/java/org/apache/coyote/ajp/AjpAprProcessor.java @@ -140,11 +140,13 @@ public class AjpAprProcessor extends AbstractAjpProcessor { } continue; } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { - // Usually the servlet didn't read the previous request body - if(log.isDebugEnabled()) { - log.debug("Unexpected message: "+type); + // Unexpected packet type. Unread body packets should have + // been swallowed in finish(). + if (log.isDebugEnabled()) { + log.debug("Unexpected message: " + type); } - continue; + error = true; + break; } keptAlive = true; diff --git a/java/org/apache/coyote/ajp/AjpNioProcessor.java b/java/org/apache/coyote/ajp/AjpNioProcessor.java index f1669dd96..bd53f13d6 100644 --- a/java/org/apache/coyote/ajp/AjpNioProcessor.java +++ b/java/org/apache/coyote/ajp/AjpNioProcessor.java @@ -126,12 +126,14 @@ public class AjpNioProcessor extends AbstractAjpProcessor { recycle(false); continue; } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { - // Usually the servlet didn't read the previous request body - if(log.isDebugEnabled()) { - log.debug("Unexpected message: "+type); + // Unexpected packet type. Unread body packets should have + // been swallowed in finish(). + if (log.isDebugEnabled()) { + log.debug("Unexpected message: " + type); } + error = true; recycle(true); - continue; + break; } request.setStartTime(System.currentTimeMillis()); } catch (IOException e) { diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index 376327c5f..cdebea69c 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -143,13 +143,14 @@ public class AjpProcessor extends AbstractAjpProcessor { } continue; } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { - // Usually the servlet didn't read the previous request body - if(log.isDebugEnabled()) { - log.debug("Unexpected message: "+type); + // Unexpected packet type. Unread body packets should have + // been swallowed in finish(). + if (log.isDebugEnabled()) { + log.debug("Unexpected message: " + type); } - continue; + error = true; + break; } - request.setStartTime(System.currentTimeMillis()); } catch (IOException e) { error = true; -- 2.11.0