Skip to content

Commit

Permalink
Backport c83fe47 to mitigate CVE-2023-45648
Browse files Browse the repository at this point in the history
  • Loading branch information
cesarhernandezgt committed Nov 15, 2023
1 parent 30e66bb commit c50f201
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 5 deletions.
2 changes: 1 addition & 1 deletion java/org/apache/coyote/http11/InternalAprInputBuffer.java
Original file line number Diff line number Diff line change
Expand Up @@ -484,7 +484,7 @@ private boolean parseHeader() throws IOException {
headers.removeHeader(headers.size() - 1);
skipLine(lineStart, start);
return true;
} else if (chr != Constants.HT && HttpParser.isControl(chr)) {
} else if (HttpParser.isControl(chr) && chr != Constants.HT) {
// Invalid value
// Delete the header (it will be the most recent one)
headers.removeHeader(headers.size() - 1);
Expand Down
2 changes: 1 addition & 1 deletion java/org/apache/coyote/http11/InternalInputBuffer.java
Original file line number Diff line number Diff line change
Expand Up @@ -435,7 +435,7 @@ private boolean parseHeader() throws IOException {
// Invalid value - also need to delete header
skipLine(lineStart, start, true);
return true;
} else if (chr != Constants.HT && HttpParser.isControl(chr)) {
} else if (HttpParser.isControl(chr) && chr != Constants.HT) {
// Invalid value - also need to delete header
skipLine(lineStart, start, true);
return true;
Expand Down
2 changes: 1 addition & 1 deletion java/org/apache/coyote/http11/InternalNioInputBuffer.java
Original file line number Diff line number Diff line change
Expand Up @@ -670,7 +670,7 @@ private HeaderParseStatus parseHeader()
} else if (prevChr == Constants.CR) {
// Invalid value - also need to delete header
return skipLine(true);
} else if (chr != Constants.HT && HttpParser.isControl(chr)) {
} else if (HttpParser.isControl(chr) && chr != Constants.HT) {
// Invalid value - also need to delete header
return skipLine(true);
} else if (chr == Constants.SP || chr == Constants.HT) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.http.MimeHeaders;
import org.apache.tomcat.util.res.StringManager;
import org.apache.tomcat.util.http.parser.HttpParser;

/**
* Chunked input filter. Parses chunked data according to
Expand Down Expand Up @@ -500,6 +501,9 @@ private boolean parseHeader() throws IOException {

if (chr == Constants.COLON) {
colon = true;
} else if (!HttpParser.isToken(chr)) {
// Non-token characters are illegal in header names
throw new IOException(sm.getString("chunkedInputFilter.invalidTrailerHeaderName"));
} else {
trailingHeaders.append(chr);
}
Expand Down Expand Up @@ -561,7 +565,9 @@ private boolean parseHeader() throws IOException {
if (chr == Constants.CR || chr == Constants.LF) {
parseCRLF(true);
eol = true;
} else if (chr == Constants.SP) {
} else if (HttpParser.isControl(chr) && chr != Constants.HT) {
throw new IOException(sm.getString("chunkedInputFilter.invalidTrailerHeaderValue"));
} else if (chr == Constants.SP || chr == Constants.HT) {
trailingHeaders.append(chr);
} else {
trailingHeaders.append(chr);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,6 @@ chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data avail
chunkedInputFilter.invalidHeader=Invalid chunk header
chunkedInputFilter.maxExtension=maxExtensionSize exceeded
chunkedInputFilter.maxTrailer=maxTrailerSize exceeded

chunkedInputFilter.invalidTrailerHeaderName=Invalid trailer header name (non-token character in name)
chunkedInputFilter.invalidTrailerHeaderValue=Invalid trailer header value (control character in value)
inputFilter.maxSwallow=maxSwallowSize exceeded
3 changes: 3 additions & 0 deletions webapps/docs/changelog.xml
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,9 @@
Include the problematic data in the error message when reporting that
the provided request line contains an invalid component. (markt)
</fix>
<fix>
Align validation of HTTP trailer fields with standard fields. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
Expand Down

0 comments on commit c50f201

Please sign in to comment.