Fix CVE-2014-0050 DoS with malformed Content-Type header and multipart request processing.
Update to latest code (r1565159) from Commons FileUpload
git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1565163 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
index e13b0f9..1f331c2 100644
--- a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
+++ b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
@@ -799,7 +799,7 @@
|| (!contentType.toLowerCase(Locale.ENGLISH).startsWith(MULTIPART))) {
throw new InvalidContentTypeException(String.format(
"the request doesn't contain a %s or %s stream, content type header is %s",
- MULTIPART_FORM_DATA, MULTIPART_FORM_DATA, contentType));
+ MULTIPART_FORM_DATA, MULTIPART_MIXED, contentType));
}
InputStream input = ctx.getInputStream();
@@ -810,8 +810,7 @@
if (requestSize != -1 && requestSize > sizeMax) {
throw new SizeLimitExceededException(String.format(
"the request was rejected because its size (%s) exceeds the configured maximum (%s)",
- Long.valueOf(requestSize),
- Long.valueOf(sizeMax)),
+ Long.valueOf(requestSize), Long.valueOf(sizeMax)),
requestSize, sizeMax);
}
input = new LimitedInputStream(input, sizeMax) {
@@ -838,7 +837,13 @@
}
notifier = new MultipartStream.ProgressNotifier(listener, requestSize);
- multi = new MultipartStream(input, boundary, notifier);
+ try {
+ multi = new MultipartStream(input, boundary, notifier);
+ } catch (IllegalArgumentException iae) {
+ throw new InvalidContentTypeException(String.format(
+ "The boundary specified in the %s header is too long",
+ CONTENT_TYPE), iae);
+ }
multi.setHeaderEncoding(charEncoding);
skipPreamble = true;
@@ -1016,7 +1021,7 @@
* detail message.
*/
public InvalidContentTypeException() {
- // Nothing to do.
+ super();
}
/**
@@ -1029,6 +1034,9 @@
super(message);
}
+ public InvalidContentTypeException(String msg, Throwable cause) {
+ super(msg, cause);
+ }
}
/**
diff --git a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
index ab89753..80bb01a 100644
--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
@@ -276,8 +276,7 @@
* @param pNotifier The notifier, which is used for calling the
* progress listener, if any.
*
- * @see #MultipartStream(InputStream, byte[],
- * MultipartStream.ProgressNotifier)
+ * @throws IllegalArgumentException If the buffer size is too small
*/
public MultipartStream(InputStream input,
byte[] boundary,
@@ -290,9 +289,14 @@
// We prepend CR/LF to the boundary to chop trailing CR/LF from
// body-data tokens.
- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length];
this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+ if (bufSize < this.boundaryLength + 1) {
+ throw new IllegalArgumentException(
+ "The buffer size specified for the MultipartStream is too small");
+ }
+ this.boundary = new byte[this.boundaryLength];
this.keepRegion = this.boundary.length;
+
System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0,
BOUNDARY_PREFIX.length);
System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length,
@@ -311,8 +315,7 @@
* @param pNotifier An object for calling the progress listener, if any.
*
*
- * @see #MultipartStream(InputStream, byte[], int,
- * MultipartStream.ProgressNotifier)
+ * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier)
*/
MultipartStream(InputStream input,
byte[] boundary,
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 258416f..e129167 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -106,6 +106,11 @@
<update>
Update Commons DBCP 2 to snapshot 164 dated 04 Feb 2014. (markt)
</update>
+ <fix>
+ Fix CVE-2014-0050, a denial of service with a malicious, malformed
+ Content-Type header and multipart request processing. Fixed by merging
+ latest code (r1565159) from Commons FileUpload. (markt)
+ </fix>
</changelog>
</subsection>
</section>
