tomcat/tomcat6-6.0-CVE-2010-2227.patch

139 lines
5.2 KiB
Diff

--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig 2010-07-12 11:52:05.981133000 -0400
+++ java/org/apache/coyote/http11/Http11AprProcessor.java 2010-07-12 11:59:39.205913000 -0400
@@ -78,6 +78,12 @@
protected static StringManager sm =
StringManager.getManager(Constants.Package);
+ /**
+ * Tracks how many internal filters are in the filter library so they
+ * are skipped whe looking for pluggable filters
+ */
+ private int pluggableFilterIndex = Integer.MAX_VALUE;
+
// ----------------------------------------------------------- Constructors
@@ -1736,6 +1742,8 @@
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
+ pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
}
@@ -1754,7 +1762,7 @@
(inputFilters[Constants.CHUNKED_FILTER]);
contentDelimitation = true;
} else {
- for (int i = 2; i < inputFilters.length; i++) {
+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
if (inputFilters[i].getEncodingName()
.toString().equals(encodingName)) {
inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig 2010-07-12 12:00:05.720580000 -0400
+++ java/org/apache/coyote/http11/Http11NioProcessor.java 2010-07-12 12:19:36.465303000 -0400
@@ -81,6 +81,12 @@
*/
protected SSLSupport sslSupport;
+ /**
+ * Tracks how many internal filters are in the filter library so they
+ * are skipped whe looking for pluggable filters
+ */
+ private int pluggableFilterIndex = Integer.MAX_VALUE;
+
// ----------------------------------------------------------- Constructors
@@ -1763,6 +1769,8 @@
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
+ pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
}
@@ -1781,7 +1789,7 @@
(inputFilters[Constants.CHUNKED_FILTER]);
contentDelimitation = true;
} else {
- for (int i = 2; i < inputFilters.length; i++) {
+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
if (inputFilters[i].getEncodingName()
.toString().equals(encodingName)) {
inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/Http11Processor.java.orig 2010-07-12 12:20:42.784634000 -0400
+++ java/org/apache/coyote/http11/Http11Processor.java 2010-07-12 12:23:14.996732000 -0400
@@ -76,6 +76,11 @@
protected static boolean isSecurityEnabled =
org.apache.coyote.Constants.IS_SECURITY_ENABLED;
+ /**
+ * Tracks how many internal filters are in the filter library so they
+ * are skipped whe looking for pluggable filters
+ */
+ private int pluggableFilterIndex = Integer.MAX_VALUE;
// ------------------------------------------------------------ Constructor
@@ -1642,6 +1647,7 @@
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
+ pluggableFilterIndex = inputBuffer.filterLibrary.length;
}
@@ -1660,7 +1666,7 @@
(inputFilters[Constants.CHUNKED_FILTER]);
contentDelimitation = true;
} else {
- for (int i = 2; i < inputFilters.length; i++) {
+ for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
if (inputFilters[i].getEncodingName()
.toString().equals(encodingName)) {
inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/filters/BufferedInputFilter.java.orig 2010-01-19 08:43:40.000000000 -0500
+++ java/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-07-12 13:00:50.374586000 -0400
@@ -102,10 +102,14 @@
}
public void recycle() {
- if (buffered.getBuffer().length > 65536) {
- buffered = null;
- } else {
- buffered.recycle();
+ if (buffered != null)
+ {
+ if (buffered.getBuffer().length > 65536)
+ {
+ buffered = null;
+ } else {
+ buffered.recycle();
+ }
}
tempRead.recycle();
hasRead = false;
--- webapps/docs/changelog.xml.orig 2010-07-12 16:08:24.000000000 -0600
+++ webapps/docs/changelog.xml 2010-07-12 16:12:43.000000000 -0600
@@ -40,6 +40,16 @@
Correct TCK failures with security manager caused by the original fix
for <bug>47774</bug>. (markt)
</fix>
+ <fix>
+ Arange filter logic (jgclere)
+ Several flaws in the handling of the 'Transfer-Encoding' header
+ were found that prevented the recycling of a buffer. A remote
+ attacker could trigger this flaw which would cause subsequent
+ requests to fail and/or information to leak between requests.
+ This flaw is mitigated if Tomcat is behind a reverse proxy
+ (such as Apache httpd 2.2) as the proxy should reject the
+ invalid transfer encoding header.
+ </fix>
</changelog>
</subsection>
<subsection name="Other">