tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 14129] New: - ArrayIndexOutOfBoundsException in RequestUtil.parseParameters()
Date Thu, 31 Oct 2002 14:53:20 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14129>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14129

ArrayIndexOutOfBoundsException in RequestUtil.parseParameters()

           Summary: ArrayIndexOutOfBoundsException in
                    RequestUtil.parseParameters()
           Product: Tomcat 4
           Version: 4.0.4 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: Stefan.Kuehnel@frontis.com


RequestUtil.parseParameters() doesn't check for incomplete encoded characters 
at the end of query parameters. An URL of the form

  http://localhost:8080/context/page.jsp?param=abc%4

will result in an ArrayIndexOutOfBoundsException.

The offending method is below with the place that causes the bug hilighted:

   public static void parseParameters(Map map, byte[] data, String encoding)
        throws UnsupportedEncodingException {

        if (data != null && data.length > 0) {
            int    pos = 0;
            int    ix = 0;
            int    ox = 0;
            String key = null;
            String value = null;
            while (ix < data.length) {
                byte c = data[ix++];
                switch ((char) c) {
                case '&':
                    value = new String(data, 0, ox, encoding);
                    if (key != null) {
                        putMapEntry(map, key, value);
                        key = null;
                    }
                    ox = 0;
                    break;
                case '=':
                    key = new String(data, 0, ox, encoding);
                    ox = 0;
                    break;
                case '+':
                    data[ox++] = (byte)' ';
                    break;
                case '%':
                    // ***************************************************
                    // ix+2<len needs to be checked here!
                    // ***************************************************
                    data[ox++] = (byte)((convertHexDigit(data[ix++]) << 4)
                                    + convertHexDigit(data[ix++]));
                    break;
                default:
                    data[ox++] = c;
                }
            }
            //The last value does not end in '&'.  So save it now.
            if (key != null) {
                value = new String(data, 0, ox, encoding);
                putMapEntry(map, key, value);
            }
        }

    }

Below is a complete stack trace:

java.lang.ArrayIndexOutOfBoundsException: 246
	at org.apache.catalina.util.RequestUtil.parseParameters
(RequestUtil.java:517)
	at org.apache.catalina.util.RequestUtil.parseParameters
(RequestUtil.java:337)
	at org.apache.catalina.connector.HttpRequestBase.parseParameters
(HttpRequestBase.java:625)
	at org.apache.catalina.connector.HttpRequestBase.getParameterNames
(HttpRequestBase.java:723)
	at org.apache.catalina.connector.RequestFacade.getParameterNames
(RequestFacade.java:165)
	at org.apache.struts.util.RequestUtils.populate(RequestUtils.java:950)
	at org.apache.struts.action.RequestProcessor.processPopulate
(RequestProcessor.java:779)
	at org.apache.struts.action.RequestProcessor.process
(RequestProcessor.java:246)
	at org.apache.struts.action.ActionServlet.process
(ActionServlet.java:1292)
	at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:492)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:247)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValve.java:243)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:566)
	at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:472)
	at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
	at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValve.java:190)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:566)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke
(AuthenticatorBase.java:531)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:564)
	at org.apache.catalina.valves.CertificatesValve.invoke
(CertificatesValve.java:246)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:564)
	at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:472)
	at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
	at org.apache.catalina.core.StandardContext.invoke
(StandardContext.java:2347)
	at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:180)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:566)
	at org.apache.catalina.valves.ErrorDispatcherValve.invoke
(ErrorDispatcherValve.java:170)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:564)
	at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:170)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:564)
	at org.apache.catalina.valves.AccessLogValve.invoke
(AccessLogValve.java:468)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:564)
	at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:472)
	at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
	at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:174)
	at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:566)
	at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:472)
	at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
	at org.apache.catalina.connector.http.HttpProcessor.process
(HttpProcessor.java:1027)
	at org.apache.catalina.connector.http.HttpProcessor.run
(HttpProcessor.java:1125)
	at java.lang.Thread.run(Thread.java:536)

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message