File tomcat-8.0.53-CVE-2023-24998.patch of Package tomcat.37363
From cf77cc545de0488fb89e24294151504a7432df74 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Tue, 13 Dec 2022 17:55:34 +0000
Subject: [PATCH] Update packaged renamed fork of Commons File Upload
---
MERGE.txt | 2 +-
.../apache/catalina/connector/Request.java | 10 +++-
.../apache/tomcat/util/http/Parameters.java | 5 ++
.../util/http/fileupload/FileUploadBase.java | 29 +++++++++++
.../impl/FileCountLimitExceededException.java | 50 +++++++++++++++++++
webapps/docs/changelog.xml | 8 +++
webapps/docs/config/ajp.xml | 15 +++---
webapps/docs/config/http.xml | 15 +++---
8 files changed, 120 insertions(+), 14 deletions(-)
create mode 100644 java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
Index: apache-tomcat-8.0.53-src/MERGE.txt
===================================================================
--- apache-tomcat-8.0.53-src.orig/MERGE.txt
+++ apache-tomcat-8.0.53-src/MERGE.txt
@@ -57,7 +57,7 @@ FileUpload
Sub-tree:
src/main/java/org/apache/commons/fileupload
The SHA1 ID for the most recent commit to be merged to Tomcat is:
-6c00d575a9521c386743891fd34bc5181174cc01
+34eb241c051b02eca3b0b1b04f67b3b4e6c3a24d
Note: Tomcat's copy of fileupload also includes classes copied manually (rather
than svn copied) from Commons IO.
Index: apache-tomcat-8.0.53-src/java/org/apache/catalina/connector/Request.java
===================================================================
--- apache-tomcat-8.0.53-src.orig/java/org/apache/catalina/connector/Request.java
+++ apache-tomcat-8.0.53-src/java/org/apache/catalina/connector/Request.java
@@ -2770,8 +2770,9 @@ public class Request
}
}
+ int maxParameterCount = getConnector().getMaxParameterCount();
Parameters parameters = coyoteRequest.getParameters();
- parameters.setLimit(getConnector().getMaxParameterCount());
+ parameters.setLimit(maxParameterCount);
boolean success = false;
try {
@@ -2815,6 +2816,13 @@ public class Request
upload.setFileItemFactory(factory);
upload.setFileSizeMax(mce.getMaxFileSize());
upload.setSizeMax(mce.getMaxRequestSize());
+ if (maxParameterCount > -1) {
+ // There is a limit. The limit for parts needs to be reduced by
+ // the number of parameters we have already parsed.
+ // Must be under the limit else parsing parameters would have
+ // triggered an exception.
+ upload.setFileCountMax(maxParameterCount - parameters.size());
+ }
parts = new ArrayList<>();
try {
Index: apache-tomcat-8.0.53-src/java/org/apache/tomcat/util/http/Parameters.java
===================================================================
--- apache-tomcat-8.0.53-src.orig/java/org/apache/tomcat/util/http/Parameters.java
+++ apache-tomcat-8.0.53-src/java/org/apache/tomcat/util/http/Parameters.java
@@ -118,6 +118,11 @@ public final class Parameters {
}
+ public int size() {
+ return parameterCount;
+ }
+
+
public void recycle() {
parameterCount = 0;
paramHashValues.clear();
Index: apache-tomcat-8.0.53-src/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
===================================================================
--- apache-tomcat-8.0.53-src.orig/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
+++ apache-tomcat-8.0.53-src/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java
@@ -26,6 +26,7 @@ import java.util.Locale;
import java.util.Map;
import java.util.NoSuchElementException;
+import org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException;
import org.apache.tomcat.util.http.fileupload.MultipartStream.ItemInputStream;
import org.apache.tomcat.util.http.fileupload.util.Closeable;
import org.apache.tomcat.util.http.fileupload.util.FileItemHeadersImpl;
@@ -126,6 +127,12 @@ public abstract class FileUploadBase {
*/
private long sizeMax = -1;
+ /**
+ * The maximum permitted number of files that may be uploaded in a single
+ * request. A value of -1 indicates no maximum.
+ */
+ private long fileCountMax = -1;
+
/**
* The maximum size permitted for a single uploaded file, as opposed
* to {@link #sizeMax}. A value of -1 indicates no maximum.
@@ -209,6 +216,24 @@ public abstract class FileUploadBase {
}
/**
+ * Returns the maximum number of files allowed in a single request.
+ *
+ * @return The maximum number of files allowed in a single request.
+ */
+ public long getFileCountMax() {
+ return fileCountMax;
+ }
+
+ /**
+ * Sets the maximum number of files allowed per request/
+ *
+ * @param fileCountMax The new limit. {@code -1} means no limit.
+ */
+ public void setFileCountMax(long fileCountMax) {
+ this.fileCountMax = fileCountMax;
+ }
+
+ /**
* Retrieves the character encoding used when reading the headers of an
* individual part. When not specified, or <code>null</code>, the request
* encoding is used. If that is also not specified, or <code>null</code>,
@@ -283,6 +308,10 @@ public abstract class FileUploadBase {
throw new NullPointerException("No FileItemFactory has been set.");
}
while (iter.hasNext()) {
+ if (items.size() == fileCountMax) {
+ // The next item will exceed the limit.
+ throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax());
+ }
final FileItemStream item = iter.next();
// Don't use getName() here to prevent an InvalidFileNameException.
final String fileName = ((FileItemIteratorImpl.FileItemStreamImpl) item).name;
Index: apache-tomcat-8.0.53-src/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
===================================================================
--- /dev/null
+++ apache-tomcat-8.0.53-src/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.http.fileupload.impl;
+
+import org.apache.tomcat.util.http.fileupload.FileUploadException;
+
+/**
+ * This exception is thrown if a request contains more files than the specified
+ * limit.
+ */
+public class FileCountLimitExceededException extends FileUploadException {
+
+ private static final long serialVersionUID = 2408766352570556046L;
+
+ private final long limit;
+
+ /**
+ * Creates a new instance.
+ *
+ * @param message The detail message
+ * @param limit The limit that was exceeded
+ */
+ public FileCountLimitExceededException(final String message, final long limit) {
+ super(message);
+ this.limit = limit;
+ }
+
+ /**
+ * Retrieves the limit that was exceeded.
+ *
+ * @return The limit that was exceeded by the request
+ */
+ public long getLimit() {
+ return limit;
+ }
+}
Index: apache-tomcat-8.0.53-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-8.0.53-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-8.0.53-src/webapps/docs/changelog.xml
@@ -301,6 +301,14 @@
</scode>
</changelog>
</subsection>
+ <subsection name="Other">
+ <changelog>
+ <update>
+ Update the internal fork of Apache Commons FileUpload to 34eb241
+ (2023-01-03, 2.0-SNAPSHOT). (markt)
+ </update>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 8.0.52 (violetagg)" rtext="2018-05-08">
<subsection name="Catalina">
Index: apache-tomcat-8.0.53-src/webapps/docs/config/ajp.xml
===================================================================
--- apache-tomcat-8.0.53-src.orig/webapps/docs/config/ajp.xml
+++ apache-tomcat-8.0.53-src/webapps/docs/config/ajp.xml
@@ -114,12 +114,15 @@
</attribute>
<attribute name="maxParameterCount" required="false">
- <p>The maximum number of parameter and value pairs (GET plus POST) which
- will be automatically parsed by the container. Parameter and value pairs
- beyond this limit will be ignored. A value of less than 0 means no limit.
- If not specified, a default of 10000 is used. Note that
- <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
- used to reject requests that hit the limit.</p>
+ <p>The maximum total number of request parameters (including uploaded
+ files) obtained from the query string and, for POST requests, the request
+ body if the content type is
+ <code>application/x-www-form-urlencoded</code> or
+ <code>multipart/form-data</code>. Request parameters beyond this limit
+ will be ignored. A value of less than 0 means no limit. If not specified,
+ a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to reject requests that
+ exceed the limit.</p>
</attribute>
<attribute name="maxPostSize" required="false">
Index: apache-tomcat-8.0.53-src/webapps/docs/config/http.xml
===================================================================
--- apache-tomcat-8.0.53-src.orig/webapps/docs/config/http.xml
+++ apache-tomcat-8.0.53-src/webapps/docs/config/http.xml
@@ -102,12 +102,15 @@
</attribute>
<attribute name="maxParameterCount" required="false">
- <p>The maximum number of parameter and value pairs (GET plus POST) which
- will be automatically parsed by the container. Parameter and value pairs
- beyond this limit will be ignored. A value of less than 0 means no limit.
- If not specified, a default of 10000 is used. Note that
- <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
- used to reject requests that hit the limit.</p>
+ <p>The maximum total number of request parameters (including uploaded
+ files) obtained from the query string and, for POST requests, the request
+ body if the content type is
+ <code>application/x-www-form-urlencoded</code> or
+ <code>multipart/form-data</code>. Request parameters beyond this limit
+ will be ignored. A value of less than 0 means no limit. If not specified,
+ a default of 10000 is used. Note that <code>FailedRequestFilter</code>
+ <a href="filter.html">filter</a> can be used to reject requests that
+ exceed the limit.</p>
</attribute>
<attribute name="maxPostSize" required="false">
