eb7ec9843b
- Fixed CVEs: * CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279) * CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278) * CVE-2021-41079: Validate incoming TLS packet (bsc#1190558) - Added patches: * tomcat-9.0-CVE-2021-30640.patch * tomcat-9.0-CVE-2021-33037.patch * tomcat-9.0-CVE-2021-41079.patch OBS-URL: https://build.opensuse.org/request/show/928113 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=229
196 lines
7.0 KiB
Diff
196 lines
7.0 KiB
Diff
Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java
|
|
===================================================================
|
|
--- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/http11/Http11Processor.java
|
|
+++ apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java
|
|
@@ -212,11 +212,8 @@ public class Http11Processor extends Abs
|
|
|
|
// Parsing trims and converts to lower case.
|
|
|
|
- if (encodingName.equals("identity")) {
|
|
- // Skip
|
|
- } else if (encodingName.equals("chunked")) {
|
|
- inputBuffer.addActiveFilter
|
|
- (inputFilters[Constants.CHUNKED_FILTER]);
|
|
+ if (encodingName.equals("chunked")) {
|
|
+ inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
|
|
contentDelimitation = true;
|
|
} else {
|
|
for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
|
|
@@ -753,13 +750,14 @@ public class Http11Processor extends Abs
|
|
InputFilter[] inputFilters = inputBuffer.getFilters();
|
|
|
|
// Parse transfer-encoding header
|
|
- if (http11) {
|
|
+ // HTTP specs say an HTTP 1.1 server should accept any recognised
|
|
+ // HTTP 1.x header from a 1.x client unless the specs says otherwise.
|
|
+ if (!http09) {
|
|
MessageBytes transferEncodingValueMB = headers.getValue("transfer-encoding");
|
|
if (transferEncodingValueMB != null) {
|
|
List<String> encodingNames = new ArrayList<>();
|
|
if (TokenList.parseTokenList(headers.values("transfer-encoding"), encodingNames)) {
|
|
for (String encodingName : encodingNames) {
|
|
- // "identity" codings are ignored
|
|
addInputFilter(inputFilters, encodingName);
|
|
}
|
|
} else {
|
|
Index: apache-tomcat-9.0.43-src/test/org/apache/coyote/http11/TestHttp11Processor.java
|
|
===================================================================
|
|
--- apache-tomcat-9.0.43-src.orig/test/org/apache/coyote/http11/TestHttp11Processor.java
|
|
+++ apache-tomcat-9.0.43-src/test/org/apache/coyote/http11/TestHttp11Processor.java
|
|
@@ -254,31 +254,6 @@ public class TestHttp11Processor extends
|
|
|
|
|
|
@Test
|
|
- public void testWithTEIdentity() throws Exception {
|
|
- getTomcatInstanceTestWebapp(false, true);
|
|
-
|
|
- String request =
|
|
- "POST /test/echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
|
|
- "Host: any" + SimpleHttpClient.CRLF +
|
|
- "Transfer-encoding: identity" + SimpleHttpClient.CRLF +
|
|
- "Content-Length: 9" + SimpleHttpClient.CRLF +
|
|
- "Content-Type: application/x-www-form-urlencoded" +
|
|
- SimpleHttpClient.CRLF +
|
|
- "Connection: close" + SimpleHttpClient.CRLF +
|
|
- SimpleHttpClient.CRLF +
|
|
- "test=data";
|
|
-
|
|
- Client client = new Client(getPort());
|
|
- client.setRequest(new String[] {request});
|
|
-
|
|
- client.connect();
|
|
- client.processRequest();
|
|
- Assert.assertTrue(client.isResponse200());
|
|
- Assert.assertTrue(client.getResponseBody().contains("test - data"));
|
|
- }
|
|
-
|
|
-
|
|
- @Test
|
|
public void testWithTESavedRequest() throws Exception {
|
|
getTomcatInstanceTestWebapp(false, true);
|
|
|
|
@@ -1859,4 +1834,102 @@ public class TestHttp11Processor extends
|
|
// NO-OP
|
|
}
|
|
}
|
|
+
|
|
+
|
|
+ @Test
|
|
+ public void testTEHeaderUnknown01() throws Exception {
|
|
+ doTestTEHeaderUnknown("identity");
|
|
+ }
|
|
+
|
|
+
|
|
+ @Test
|
|
+ public void testTEHeaderUnknown02() throws Exception {
|
|
+ doTestTEHeaderUnknown("identity, chunked");
|
|
+ }
|
|
+
|
|
+
|
|
+ @Test
|
|
+ public void testTEHeaderUnknown03() throws Exception {
|
|
+ doTestTEHeaderUnknown("unknown, chunked");
|
|
+ }
|
|
+
|
|
+
|
|
+ @Test
|
|
+ public void testTEHeaderUnknown04() throws Exception {
|
|
+ doTestTEHeaderUnknown("void");
|
|
+ }
|
|
+
|
|
+
|
|
+ @Test
|
|
+ public void testTEHeaderUnknown05() throws Exception {
|
|
+ doTestTEHeaderUnknown("void, chunked");
|
|
+ }
|
|
+
|
|
+
|
|
+ @Test
|
|
+ public void testTEHeaderUnknown06() throws Exception {
|
|
+ doTestTEHeaderUnknown("void, identity");
|
|
+ }
|
|
+
|
|
+
|
|
+ @Test
|
|
+ public void testTEHeaderUnknown07() throws Exception {
|
|
+ doTestTEHeaderUnknown("identity, void");
|
|
+ }
|
|
+
|
|
+
|
|
+ private void doTestTEHeaderUnknown(String headerValue) throws Exception {
|
|
+ Tomcat tomcat = getTomcatInstance();
|
|
+
|
|
+ // No file system docBase required
|
|
+ Context ctx = tomcat.addContext("", null);
|
|
+
|
|
+ // Add servlet
|
|
+ Tomcat.addServlet(ctx, "TesterServlet", new TesterServlet(false));
|
|
+ ctx.addServletMappingDecoded("/foo", "TesterServlet");
|
|
+
|
|
+ tomcat.start();
|
|
+
|
|
+ String request =
|
|
+ "GET /foo HTTP/1.1" + SimpleHttpClient.CRLF +
|
|
+ "Host: localhost:" + getPort() + SimpleHttpClient.CRLF +
|
|
+ "Transfer-Encoding: " + headerValue + SimpleHttpClient.CRLF +
|
|
+ SimpleHttpClient.CRLF;
|
|
+
|
|
+ Client client = new Client(tomcat.getConnector().getLocalPort());
|
|
+ client.setRequest(new String[] {request});
|
|
+
|
|
+ client.connect();
|
|
+ client.processRequest(false);
|
|
+
|
|
+ Assert.assertTrue(client.isResponse501());
|
|
+ }
|
|
+
|
|
+
|
|
+ @Test
|
|
+ public void testWithTEChunkedHttp10() throws Exception {
|
|
+
|
|
+ getTomcatInstanceTestWebapp(false, true);
|
|
+
|
|
+ String request =
|
|
+ "POST /test/echo-params.jsp HTTP/1.0" + SimpleHttpClient.CRLF +
|
|
+ "Host: any" + SimpleHttpClient.CRLF +
|
|
+ "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
|
|
+ "Content-Type: application/x-www-form-urlencoded" +
|
|
+ SimpleHttpClient.CRLF +
|
|
+ "Connection: close" + SimpleHttpClient.CRLF +
|
|
+ SimpleHttpClient.CRLF +
|
|
+ "9" + SimpleHttpClient.CRLF +
|
|
+ "test=data" + SimpleHttpClient.CRLF +
|
|
+ "0" + SimpleHttpClient.CRLF +
|
|
+ SimpleHttpClient.CRLF;
|
|
+
|
|
+ Client client = new Client(getPort());
|
|
+ client.setRequest(new String[] {request});
|
|
+
|
|
+ client.connect();
|
|
+ client.processRequest();
|
|
+ Assert.assertTrue(client.isResponse200());
|
|
+ Assert.assertTrue(client.getResponseBody().contains("test - data"));
|
|
+ }
|
|
}
|
|
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
|
|
===================================================================
|
|
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
|
|
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
|
|
@@ -347,6 +347,16 @@
|
|
connections are attempted and fail. Patch provided by Maurizio Adami.
|
|
(markt)
|
|
</fix>
|
|
+ <fix>
|
|
+ Remove support for the <code>identity</code> transfer encoding. The
|
|
+ inclusion of this encoding in RFC 2616 was an error that was corrected
|
|
+ in 2001. Requests using this transfer encoding will now receive a 501
|
|
+ response. (markt)
|
|
+ </fix>
|
|
+ <fix>
|
|
+ Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
|
|
+ clients. (markt)
|
|
+ </fix>
|
|
</changelog>
|
|
</subsection>
|
|
<subsection name="Web applications">
|