tomcat/tomcat-9.0-CVE-2021-33037.patch

Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java
===================================================================
--- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/http11/Http11Processor.java
+++ apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java
@@ -212,11 +212,8 @@ public class Http11Processor extends Abs
 
         // Parsing trims and converts to lower case.
 
-        if (encodingName.equals("identity")) {
-            // Skip
-        } else if (encodingName.equals("chunked")) {
-            inputBuffer.addActiveFilter
-                (inputFilters[Constants.CHUNKED_FILTER]);
+        if (encodingName.equals("chunked")) {
+            inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
             for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
@@ -753,13 +750,14 @@ public class Http11Processor extends Abs
         InputFilter[] inputFilters = inputBuffer.getFilters();
 
         // Parse transfer-encoding header
-        if (http11) {
+        // HTTP specs say an HTTP 1.1 server should accept any recognised
+        // HTTP 1.x header from a 1.x client unless the specs says otherwise.
+        if (!http09) {
             MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding");
             if (transferEncodingValueMB != null) {
                 List<String> encodingNames = new ArrayList<>();
                 if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) {
                     for (String encodingName : encodingNames) {
-                        // "identity" codings are ignored
                         addInputFilter(inputFilters, encodingName);
                     }
                 } else {
Index: apache-tomcat-9.0.43-src/test/org/apache/coyote/http11/TestHttp11Processor.java
===================================================================
--- apache-tomcat-9.0.43-src.orig/test/org/apache/coyote/http11/TestHttp11Processor.java
+++ apache-tomcat-9.0.43-src/test/org/apache/coyote/http11/TestHttp11Processor.java
@@ -254,31 +254,6 @@ public class TestHttp11Processor extends
 
 
     @Test
-    public void testWithTEIdentity() throws Exception {
-        getTomcatInstanceTestWebapp(false, true);
-
-        String request =
-            "POST /test/echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
-            "Host: any" + SimpleHttpClient.CRLF +
-            "Transfer-encoding: identity" + SimpleHttpClient.CRLF +
-            "Content-Length: 9" + SimpleHttpClient.CRLF +
-            "Content-Type: application/x-www-form-urlencoded" +
-                    SimpleHttpClient.CRLF +
-            "Connection: close" + SimpleHttpClient.CRLF +
-                SimpleHttpClient.CRLF +
-            "test=data";
-
-        Client client = new Client(getPort());
-        client.setRequest(new String[] {request});
-
-        client.connect();
-        client.processRequest();
-        Assert.assertTrue(client.isResponse200());
-        Assert.assertTrue(client.getResponseBody().contains("test - data"));
-    }
-
-
-    @Test
     public void testWithTESavedRequest() throws Exception {
         getTomcatInstanceTestWebapp(false, true);
 
@@ -1859,4 +1834,102 @@ public class TestHttp11Processor extends
             // NO-OP
         }
     }
+
+
+    @Test
+    public void testTEHeaderUnknown01() throws Exception {
+        doTestTEHeaderUnknown("identity");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown02() throws Exception {
+        doTestTEHeaderUnknown("identity, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown03() throws Exception {
+        doTestTEHeaderUnknown("unknown, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown04() throws Exception {
+        doTestTEHeaderUnknown("void");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown05() throws Exception {
+        doTestTEHeaderUnknown("void, chunked");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown06() throws Exception {
+        doTestTEHeaderUnknown("void, identity");
+    }
+
+
+    @Test
+    public void testTEHeaderUnknown07() throws Exception {
+        doTestTEHeaderUnknown("identity, void");
+    }
+
+
+    private void doTestTEHeaderUnknown(String headerValue) throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+
+        // No file system docBase required
+        Context ctx = tomcat.addContext("", null);
+
+        // Add servlet
+        Tomcat.addServlet(ctx, "TesterServlet", new TesterServlet(false));
+        ctx.addServletMappingDecoded("/foo", "TesterServlet");
+
+        tomcat.start();
+
+        String request =
+                "GET /foo HTTP/1.1" + SimpleHttpClient.CRLF +
+                "Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
+                "Transfer-Encoding: " + headerValue + SimpleHttpClient.CRLF +
+                SimpleHttpClient.CRLF;
+
+        Client client = new Client(tomcat.getConnector().getLocalPort());
+        client.setRequest(new String[] {request});
+
+        client.connect();
+        client.processRequest(false);
+
+        Assert.assertTrue(client.isResponse501());
+    }
+
+
+    @Test
+    public void testWithTEChunkedHttp10() throws Exception {
+
+        getTomcatInstanceTestWebapp(false, true);
+
+        String request =
+            "POST /test/echo-params.jsp HTTP/1.0" + SimpleHttpClient.CRLF +
+            "Host: any" + SimpleHttpClient.CRLF +
+            "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
+            "Content-Type: application/x-www-form-urlencoded" +
+                    SimpleHttpClient.CRLF +
+            "Connection: close" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF +
+            "9" + SimpleHttpClient.CRLF +
+            "test=data" + SimpleHttpClient.CRLF +
+            "0" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF;
+
+        Client client = new Client(getPort());
+        client.setRequest(new String[] {request});
+
+        client.connect();
+        client.processRequest();
+        Assert.assertTrue(client.isResponse200());
+        Assert.assertTrue(client.getResponseBody().contains("test - data"));
+    }
 }
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -347,6 +347,16 @@
         connections are attempted and fail. Patch provided by Maurizio Adami.
         (markt)
       </fix>
+      <fix>
+        Remove support for the <code>identity</code> transfer encoding. The
+        inclusion of this encoding in RFC 2616 was an error that was corrected
+        in 2001. Requests using this transfer encoding will now receive a 501
+        response. (markt)
+      </fix>
+      <fix>
+        Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
+        clients. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">
Accepting request 928113 from home:mbussolotto:branches:Java:packages - Fixed CVEs: * CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279) * CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278) * CVE-2021-41079: Validate incoming TLS packet (bsc#1190558) - Added patches: * tomcat-9.0-CVE-2021-30640.patch * tomcat-9.0-CVE-2021-33037.patch * tomcat-9.0-CVE-2021-41079.patch OBS-URL: https://build.opensuse.org/request/show/928113 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=229 2021-11-10 09:18:07 +01:00			`Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java`
			`===================================================================`
			`--- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/http11/Http11Processor.java`
			`+++ apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java`
			`@@ -212,11 +212,8 @@ public class Http11Processor extends Abs`

			`// Parsing trims and converts to lower case.`

			`- if (encodingName.equals("identity")) {`
			`- // Skip`
			`- } else if (encodingName.equals("chunked")) {`
			`- inputBuffer.addActiveFilter`
			`- (inputFilters[Constants.CHUNKED_FILTER]);`
			`+ if (encodingName.equals("chunked")) {`
			`+ inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);`
			`contentDelimitation = true;`
			`} else {`
			`for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {`
			`@@ -753,13 +750,14 @@ public class Http11Processor extends Abs`
			`InputFilter[] inputFilters = inputBuffer.getFilters();`

			`// Parse transfer-encoding header`
			`- if (http11) {`
			`+ // HTTP specs say an HTTP 1.1 server should accept any recognised`
			`+ // HTTP 1.x header from a 1.x client unless the specs says otherwise.`
			`+ if (!http09) {`
			`MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding");`
			`if (transferEncodingValueMB != null) {`
			`List<String> encodingNames = new ArrayList<>();`
			`if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) {`
			`for (String encodingName : encodingNames) {`
			`- // "identity" codings are ignored`
			`addInputFilter(inputFilters, encodingName);`
			`}`
			`} else {`
			`Index: apache-tomcat-9.0.43-src/test/org/apache/coyote/http11/TestHttp11Processor.java`
			`===================================================================`
			`--- apache-tomcat-9.0.43-src.orig/test/org/apache/coyote/http11/TestHttp11Processor.java`
			`+++ apache-tomcat-9.0.43-src/test/org/apache/coyote/http11/TestHttp11Processor.java`
			`@@ -254,31 +254,6 @@ public class TestHttp11Processor extends`


			`@Test`
			`- public void testWithTEIdentity() throws Exception {`
			`- getTomcatInstanceTestWebapp(false, true);`
			`-`
			`- String request =`
			`- "POST /test/echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +`
			`- "Host: any" + SimpleHttpClient.CRLF +`
			`- "Transfer-encoding: identity" + SimpleHttpClient.CRLF +`
			`- "Content-Length: 9" + SimpleHttpClient.CRLF +`
			`- "Content-Type: application/x-www-form-urlencoded" +`
			`- SimpleHttpClient.CRLF +`
			`- "Connection: close" + SimpleHttpClient.CRLF +`
			`- SimpleHttpClient.CRLF +`
			`- "test=data";`
			`-`
			`- Client client = new Client(getPort());`
			`- client.setRequest(new String[] {request});`
			`-`
			`- client.connect();`
			`- client.processRequest();`
			`- Assert.assertTrue(client.isResponse200());`
			`- Assert.assertTrue(client.getResponseBody().contains("test - data"));`
			`- }`
			`-`
			`-`
			`- @Test`
			`public void testWithTESavedRequest() throws Exception {`
			`getTomcatInstanceTestWebapp(false, true);`

			`@@ -1859,4 +1834,102 @@ public class TestHttp11Processor extends`
			`// NO-OP`
			`}`
			`}`
			`+`
			`+`
			`+ @Test`
			`+ public void testTEHeaderUnknown01() throws Exception {`
			`+ doTestTEHeaderUnknown("identity");`
			`+ }`
			`+`
			`+`
			`+ @Test`
			`+ public void testTEHeaderUnknown02() throws Exception {`
			`+ doTestTEHeaderUnknown("identity, chunked");`
			`+ }`
			`+`
			`+`
			`+ @Test`
			`+ public void testTEHeaderUnknown03() throws Exception {`
			`+ doTestTEHeaderUnknown("unknown, chunked");`
			`+ }`
			`+`
			`+`
			`+ @Test`
			`+ public void testTEHeaderUnknown04() throws Exception {`
			`+ doTestTEHeaderUnknown("void");`
			`+ }`
			`+`
			`+`
			`+ @Test`
			`+ public void testTEHeaderUnknown05() throws Exception {`
			`+ doTestTEHeaderUnknown("void, chunked");`
			`+ }`
			`+`
			`+`
			`+ @Test`
			`+ public void testTEHeaderUnknown06() throws Exception {`
			`+ doTestTEHeaderUnknown("void, identity");`
			`+ }`
			`+`
			`+`
			`+ @Test`
			`+ public void testTEHeaderUnknown07() throws Exception {`
			`+ doTestTEHeaderUnknown("identity, void");`
			`+ }`
			`+`
			`+`
			`+ private void doTestTEHeaderUnknown(String headerValue) throws Exception {`
			`+ Tomcat tomcat = getTomcatInstance();`
			`+`
			`+ // No file system docBase required`
			`+ Context ctx = tomcat.addContext("", null);`
			`+`
			`+ // Add servlet`
			`+ Tomcat.addServlet(ctx, "TesterServlet", new TesterServlet(false));`
			`+ ctx.addServletMappingDecoded("/foo", "TesterServlet");`
			`+`
			`+ tomcat.start();`
			`+`
			`+ String request =`
			`+ "GET /foo HTTP/1.1" + SimpleHttpClient.CRLF +`
			`+ "Host: localhost:" + getPort() + SimpleHttpClient.CRLF +`
			`+ "Transfer-Encoding: " + headerValue + SimpleHttpClient.CRLF +`
			`+ SimpleHttpClient.CRLF;`
			`+`
			`+ Client client = new Client(tomcat.getConnector().getLocalPort());`
			`+ client.setRequest(new String[] {request});`
			`+`
			`+ client.connect();`
			`+ client.processRequest(false);`
			`+`
			`+ Assert.assertTrue(client.isResponse501());`
			`+ }`
			`+`
			`+`
			`+ @Test`
			`+ public void testWithTEChunkedHttp10() throws Exception {`
			`+`
			`+ getTomcatInstanceTestWebapp(false, true);`
			`+`
			`+ String request =`
			`+ "POST /test/echo-params.jsp HTTP/1.0" + SimpleHttpClient.CRLF +`
			`+ "Host: any" + SimpleHttpClient.CRLF +`
			`+ "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +`
			`+ "Content-Type: application/x-www-form-urlencoded" +`
			`+ SimpleHttpClient.CRLF +`
			`+ "Connection: close" + SimpleHttpClient.CRLF +`
			`+ SimpleHttpClient.CRLF +`
			`+ "9" + SimpleHttpClient.CRLF +`
			`+ "test=data" + SimpleHttpClient.CRLF +`
			`+ "0" + SimpleHttpClient.CRLF +`
			`+ SimpleHttpClient.CRLF;`
			`+`
			`+ Client client = new Client(getPort());`
			`+ client.setRequest(new String[] {request});`
			`+`
			`+ client.connect();`
			`+ client.processRequest();`
			`+ Assert.assertTrue(client.isResponse200());`
			`+ Assert.assertTrue(client.getResponseBody().contains("test - data"));`
			`+ }`
			`}`
			`Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml`
			`===================================================================`
			`--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml`
			`+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml`
			`@@ -347,6 +347,16 @@`
			`connections are attempted and fail. Patch provided by Maurizio Adami.`
			`(markt)`
			`</fix>`
			`+ <fix>`
			`+ Remove support for the <code>identity</code> transfer encoding. The`
			`+ inclusion of this encoding in RFC 2616 was an error that was corrected`
			`+ in 2001. Requests using this transfer encoding will now receive a 501`
			`+ response. (markt)`
			`+ </fix>`
			`+ <fix>`
			`+ Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1`
			`+ clients. (markt)`
			`+ </fix>`
			`</changelog>`
			`</subsection>`
			`<subsection name="Web applications">`