tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r535543 - in /tomcat: connectors/trunk/jk/java/org/apache/ajp/RequestHandler.java container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
Date Sat, 05 May 2007 16:15:51 GMT
Author: markt
Date: Sat May  5 09:15:50 2007
New Revision: 535543

URL: http://svn.apache.org/viewvc?view=rev&rev=535543
Log:
Fix CVE-2005-3164

Modified:
    tomcat/connectors/trunk/jk/java/org/apache/ajp/RequestHandler.java
    tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt

Modified: tomcat/connectors/trunk/jk/java/org/apache/ajp/RequestHandler.java
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/java/org/apache/ajp/RequestHandler.java?view=diff&rev=535543&r1=535542&r2=535543
==============================================================================
--- tomcat/connectors/trunk/jk/java/org/apache/ajp/RequestHandler.java (original)
+++ tomcat/connectors/trunk/jk/java/org/apache/ajp/RequestHandler.java Sat May  5 09:15:50
2007
@@ -428,20 +428,25 @@
         // set cookies on request now that we have all headers
         req.cookies().setHeaders(req.headers());
 
-	// Check to see if there should be a body packet coming along
-	// immediately after
-    	if(req.getContentLength() > 0) {
+        // Check to see if there should be a body packet coming along
+        // immediately after
+        if(req.getContentLength() > 0) {
 
-	    /* Read present data */
-	    int err = ch.receive(ch.inBuf);
-            if(err < 0) {
-            	return 500;
-	    }
-	    
-	    ch.blen = ch.inBuf.peekInt();
-	    ch.pos = 0;
-	    ch.inBuf.getBytes(ch.bodyBuff);
-    	}
+            /* Read present data */
+            int bytesRead = ch.receive(ch.inBuf);
+            if(bytesRead < 0) {
+                return 500;
+            }
+
+            // First two bytes are length, rest is real data
+            if (bytesRead < 2) {
+                ch.blen = 0;
+            } else {
+                ch.blen = bytesRead - 2;
+            }
+            ch.pos = 0;
+            ch.inBuf.getBytes(ch.bodyBuff);
+        }
     
         if (debug > 5) {
             log(req.toString());

Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?view=diff&rev=535543&r1=535542&r2=535543
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Sat May  5 09:15:50 2007
@@ -649,6 +649,11 @@
 [4.1.36] mx4j
          Update build process so correct mx4j jar is used
 
+[4.1.37] org.apache.ajp.tomcat4.Ajp13Connector
+         Fix CVE-2005-3164. In some circumstances a request may be processed
+         using the request body of a previous request.
+         Note this connector is deprecated.
+
 
 ------------------
 Catalina Bug Fixes:



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message