Fix CVE-2014-0050. Specially crafted input can trigger a DoS if the buffer used by the <code>MultipartStream</code> is not big enough. When constructing <code>MultipartStream</code> enforce the requirements for buffer size by throwing an <code>IllegalArgumentException</code> if the requested buffer size is too small. This prevents the DoS.
git-svn-id: https://svn.apache.org/repos/asf/commons/proper/fileupload/trunk@1565143 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index c780800..58e7d4a 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -51,6 +51,13 @@
<action dev="markt" type="fix">
Correct example in usage documentation so it compiles.
</action>
+ <action dev="markt" type="fix">
+ Fix CVE-2014-0050. Specially crafted input can trigger a DoS if the
+ buffer used by the <code>MultipartStream</code> is not big enough. When
+ constructing <code>MultipartStream</code> enforce the requirements for
+ buffer size by throwing an <code>IllegalArgumentException</code> if the
+ requested buffer size is too small. This prevents the DoS.
+ </action>
</release>
<release version="1.3" description="maintenance release, JDK1.5 update" date="2013-03-27">
diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
index 0e4c441..f8efb25 100644
--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
@@ -991,7 +991,12 @@
}
notifier = new MultipartStream.ProgressNotifier(listener, requestSize);
- multi = new MultipartStream(input, boundary, notifier);
+ try {
+ multi = new MultipartStream(input, boundary, notifier);
+ } catch (IllegalArgumentException iae) {
+ throw new InvalidContentTypeException(
+ format("The boundary specified in the %s header is too long", CONTENT_TYPE), iae);
+ }
multi.setHeaderEncoding(charEncoding);
skipPreamble = true;
@@ -1183,7 +1188,7 @@
* detail message.
*/
public InvalidContentTypeException() {
- // Nothing to do.
+ super();
}
/**
@@ -1196,6 +1201,9 @@
super(message);
}
+ public InvalidContentTypeException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
}
/**
diff --git a/src/main/java/org/apache/commons/fileupload/MultipartStream.java b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
index c2b9e90..9e0cbcd 100644
--- a/src/main/java/org/apache/commons/fileupload/MultipartStream.java
+++ b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
@@ -268,10 +268,8 @@
/**
* Creates a new instance.
*
- * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[],
- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)},
- * or {@link #MultipartStream(InputStream, byte[], int,
- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)}
+ * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
+ * ProgressNotifier)}
*/
@Deprecated
public MultipartStream() {
@@ -292,10 +290,8 @@
* <code>encapsulations</code>.
* @param bufSize The size of the buffer to be used, in bytes.
*
- * @see #MultipartStream(InputStream, byte[],
- * MultipartStream.ProgressNotifier)
* @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)}.
+ * ProgressNotifier)}.
*/
@Deprecated
public MultipartStream(InputStream input, byte[] boundary, int bufSize) {
@@ -317,8 +313,7 @@
* @param pNotifier The notifier, which is used for calling the
* progress listener, if any.
*
- * @see #MultipartStream(InputStream, byte[],
- * MultipartStream.ProgressNotifier)
+ * @throws IllegalArgumentException If the buffer size is too small
*/
public MultipartStream(InputStream input,
byte[] boundary,
@@ -331,9 +326,14 @@
// We prepend CR/LF to the boundary to chop trailing CR/LF from
// body-data tokens.
- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+ if (bufSize < this.boundaryLength + 1) {
+ throw new IllegalArgumentException(
+ "The buffer size specified for the MultipartStream is too small");
+ }
+ this.boundary = new byte[this.boundaryLength];
this.keepRegion = this.boundary.length;
+
System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
BOUNDARY_PREFIX.length);
System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length,
@@ -352,8 +352,7 @@
* @param pNotifier An object for calling the progress listener, if any.
*
*
- * @see #MultipartStream(InputStream, byte[], int,
- * MultipartStream.ProgressNotifier)
+ * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier)
*/
MultipartStream(InputStream input,
byte[] boundary,
@@ -368,10 +367,8 @@
* @param boundary The token used for dividing the stream into
* <code>encapsulations</code>.
*
- * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[],
- * MultipartStream.ProgressNotifier)}.
- * @see #MultipartStream(InputStream, byte[], int,
- * MultipartStream.ProgressNotifier)
+ * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
+ * ProgressNotifier)}.
*/
@Deprecated
public MultipartStream(InputStream input,
diff --git a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
index d0ebdc6..195a52a 100644
--- a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
+++ b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
@@ -38,7 +38,8 @@
final byte[] contents = strData.getBytes();
InputStream input = new ByteArrayInputStream(contents);
byte[] boundary = BOUNDARY_TEXT.getBytes();
- int iBufSize = boundary.length;
+ int iBufSize =
+ boundary.length + MultipartStream.BOUNDARY_PREFIX.length + 1;
MultipartStream ms = new MultipartStream(
input,
boundary,
@@ -47,6 +48,21 @@
assertNotNull(ms);
}
+ @Test(expected=IllegalArgumentException.class)
+ public void testSmallBuffer() throws Exception {
+ final String strData = "foobar";
+ final byte[] contents = strData.getBytes();
+ InputStream input = new ByteArrayInputStream(contents);
+ byte[] boundary = BOUNDARY_TEXT.getBytes();
+ int iBufSize = 1;
+ @SuppressWarnings("unused")
+ MultipartStream ms = new MultipartStream(
+ input,
+ boundary,
+ iBufSize,
+ new MultipartStream.ProgressNotifier(null, contents.length));
+ }
+
@Test
public void testTwoParamConstructor() throws Exception {
final String strData = "foobar";