Google Git
Sign in
apache / commons-fileupload / c61ff05b3241cb14d989b67209e57aa71540417a^! / .
commitc61ff05b3241cb14d989b67209e57aa71540417a[log] [tgz]
authorMark Thomas <markt@apache.org>Thu Feb 06 10:14:24 2014 +0000
committerMark Thomas <markt@apache.org>Thu Feb 06 10:14:24 2014 +0000
tree6b925f75f2c3f73319e121f6debc4d74b5e10696
parent401ba23732e9ae96c3e4797eb624d357cb9ae2d0 [diff]
Fix CVE-2014-0050. Specially crafted input can trigger a DoS if the buffer used by the <code>MultipartStream</code> is not big enough. When constructing <code>MultipartStream</code> enforce the requirements for buffer size by throwing an <code>IllegalArgumentException</code> if the requested buffer size is too small. This prevents the DoS.

git-svn-id: https://svn.apache.org/repos/asf/commons/proper/fileupload/trunk@1565143 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index c780800..58e7d4a 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml

@@ -51,6 +51,13 @@
       <action dev="markt" type="fix">
         Correct example in usage documentation so it compiles.
       </action>
+      <action dev="markt" type="fix">
+        Fix CVE-2014-0050. Specially crafted input can trigger a DoS if the
+        buffer used by the <code>MultipartStream</code> is not big enough. When
+        constructing <code>MultipartStream</code> enforce the requirements for
+        buffer size by throwing an <code>IllegalArgumentException</code> if the
+        requested buffer size is too small. This prevents the DoS. 
+      </action>
     </release>
     
     <release version="1.3" description="maintenance release, JDK1.5 update" date="2013-03-27">

diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
index 0e4c441..f8efb25 100644
--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java

@@ -991,7 +991,12 @@
             }
 
             notifier = new MultipartStream.ProgressNotifier(listener, requestSize);
-            multi = new MultipartStream(input, boundary, notifier);
+            try {
+                multi = new MultipartStream(input, boundary, notifier);
+            } catch (IllegalArgumentException iae) {
+                throw new InvalidContentTypeException(
+                        format("The boundary specified in the %s header is too long", CONTENT_TYPE), iae);
+            }
             multi.setHeaderEncoding(charEncoding);
 
             skipPreamble = true;
@@ -1183,7 +1188,7 @@
          * detail message.
          */
         public InvalidContentTypeException() {
-            // Nothing to do.
+            super();
         }
 
         /**
@@ -1196,6 +1201,9 @@
             super(message);
         }
 
+        public InvalidContentTypeException(String msg, Throwable cause) {
+            super(msg, cause);
+        }
     }
 
     /**

diff --git a/src/main/java/org/apache/commons/fileupload/MultipartStream.java b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
index c2b9e90..9e0cbcd 100644
--- a/src/main/java/org/apache/commons/fileupload/MultipartStream.java
+++ b/src/main/java/org/apache/commons/fileupload/MultipartStream.java

@@ -268,10 +268,8 @@
     /**
      * Creates a new instance.
      *
-     * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[],
-     * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)},
-     * or {@link #MultipartStream(InputStream, byte[], int,
-     * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)}
+     * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
+     * ProgressNotifier)}
      */
     @Deprecated
     public MultipartStream() {
@@ -292,10 +290,8 @@
      *                 <code>encapsulations</code>.
      * @param bufSize  The size of the buffer to be used, in bytes.
      *
-     * @see #MultipartStream(InputStream, byte[],
-     *   MultipartStream.ProgressNotifier)
      * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
-     *  org.apache.commons.fileupload.MultipartStream.ProgressNotifier)}.
+     * ProgressNotifier)}.
      */
     @Deprecated
     public MultipartStream(InputStream input, byte[] boundary, int bufSize) {
@@ -317,8 +313,7 @@
      * @param pNotifier The notifier, which is used for calling the
      *                  progress listener, if any.
      *
-     * @see #MultipartStream(InputStream, byte[],
-     *     MultipartStream.ProgressNotifier)
+     * @throws IllegalArgumentException If the buffer size is too small
      */
     public MultipartStream(InputStream input,
             byte[] boundary,
@@ -331,9 +326,14 @@
 
         // We prepend CR/LF to the boundary to chop trailing CR/LF from
         // body-data tokens.
-        this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
         this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+        if (bufSize < this.boundaryLength + 1) {
+            throw new IllegalArgumentException(
+                    "The buffer size specified for the MultipartStream is too small");
+        }
+        this.boundary = new byte[this.boundaryLength];
         this.keepRegion = this.boundary.length;
+
         System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
                 BOUNDARY_PREFIX.length);
         System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length,
@@ -352,8 +352,7 @@
      * @param pNotifier An object for calling the progress listener, if any.
      *
      *
-     * @see #MultipartStream(InputStream, byte[], int,
-     *     MultipartStream.ProgressNotifier)
+     * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier)
      */
     MultipartStream(InputStream input,
             byte[] boundary,
@@ -368,10 +367,8 @@
      * @param boundary The token used for dividing the stream into
      *                 <code>encapsulations</code>.
      *
-     * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[],
-     *  MultipartStream.ProgressNotifier)}.
-     * @see #MultipartStream(InputStream, byte[], int,
-     *  MultipartStream.ProgressNotifier)
+     * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int,
+     *  ProgressNotifier)}.
      */
     @Deprecated
     public MultipartStream(InputStream input,

diff --git a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
index d0ebdc6..195a52a 100644
--- a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java
+++ b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java

@@ -38,7 +38,8 @@
         final byte[] contents = strData.getBytes();
         InputStream input = new ByteArrayInputStream(contents);
         byte[] boundary = BOUNDARY_TEXT.getBytes();
-        int iBufSize = boundary.length;
+        int iBufSize =
+                boundary.length + MultipartStream.BOUNDARY_PREFIX.length + 1;
         MultipartStream ms = new MultipartStream(
                 input,
                 boundary,
@@ -47,6 +48,21 @@
         assertNotNull(ms);
     }
 
+    @Test(expected=IllegalArgumentException.class)
+    public void testSmallBuffer() throws Exception {
+        final String strData = "foobar";
+        final byte[] contents = strData.getBytes();
+        InputStream input = new ByteArrayInputStream(contents);
+        byte[] boundary = BOUNDARY_TEXT.getBytes();
+        int iBufSize = 1;
+        @SuppressWarnings("unused")
+        MultipartStream ms = new MultipartStream(
+                input,
+                boundary,
+                iBufSize,
+                new MultipartStream.ProgressNotifier(null, contents.length));
+    }
+
     @Test
     public void testTwoParamConstructor() throws Exception {
         final String strData = "foobar";