Projects
Mega:24.03:SP1:Everything
jetty
_service:tar_scm:CVE-2023-40167.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2023-40167.patch of Package jetty
From: Markus Koschany <apo@debian.org> Date: Tue, 26 Sep 2023 21:06:42 +0200 Subject: CVE-2023-40167 Origin: https://github.com/eclipse/jetty.project/commit/e4d596eafc887bcd813ae6e28295b5ce327def47 --- .../java/org/eclipse/jetty/http/HttpParser.java | 47 +++++++------- .../org/eclipse/jetty/http/HttpParserTest.java | 71 +++++----------------- 2 files changed, 38 insertions(+), 80 deletions(-) diff --git a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java index 2abc4b6..c045498 100644 --- a/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java +++ b/jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java @@ -501,7 +501,7 @@ public class HttpParser /* Quick lookahead for the start state looking for a request method or a HTTP version, * otherwise skip white space until something else to parse. */ - private boolean quickStart(ByteBuffer buffer) + private void quickStart(ByteBuffer buffer) { if (_requestHandler!=null) { @@ -512,7 +512,7 @@ public class HttpParser buffer.position(buffer.position()+_methodString.length()+1); setState(State.SPACE1); - return false; + return; } } else if (_responseHandler!=null) @@ -522,7 +522,7 @@ public class HttpParser { buffer.position(buffer.position()+_version.asString().length()+1); setState(State.SPACE1); - return false; + return; } } @@ -543,7 +543,7 @@ public class HttpParser _string.setLength(0); _string.append(t.getChar()); setState(_requestHandler!=null?State.METHOD:State.RESPONSE_VERSION); - return false; + return; } case OTEXT: case SPACE: @@ -561,7 +561,6 @@ public class HttpParser throw new BadMessageException(HttpStatus.BAD_REQUEST_400); } } - return false; } /* ------------------------------------------------------------------------------- */ @@ -979,12 +978,13 @@ public class HttpParser switch (_header) { case CONTENT_LENGTH: + long contentLength = convertContentLength(_valueString); if (_hasContentLength) { if(complianceViolation(MULTIPLE_CONTENT_LENGTHS)) throw new BadMessageException(HttpStatus.BAD_REQUEST_400,MULTIPLE_CONTENT_LENGTHS.description); - if (convertContentLength(_valueString)!=_contentLength) - throw new BadMessageException(HttpStatus.BAD_REQUEST_400,MULTIPLE_CONTENT_LENGTHS.description); + if (contentLength != _contentLength) + throw new BadMessageException(HttpStatus.BAD_REQUEST_400, MULTIPLE_CONTENT_LENGTHS.getDescription()); } _hasContentLength = true; @@ -993,11 +993,8 @@ public class HttpParser if (_endOfContent != EndOfContent.CHUNKED_CONTENT) { - _contentLength=convertContentLength(_valueString); - if (_contentLength <= 0) - _endOfContent=EndOfContent.NO_CONTENT; - else - _endOfContent=EndOfContent.CONTENT_LENGTH; + _contentLength = contentLength; + _endOfContent = EndOfContent.CONTENT_LENGTH; } break; @@ -1085,15 +1082,21 @@ public class HttpParser private long convertContentLength(String valueString) { - try - { - return Long.parseLong(valueString); - } - catch(NumberFormatException e) + if (valueString == null || valueString.length() == 0) + throw new BadMessageException("Invalid Content-Length Value", new NumberFormatException()); + + long value = 0; + int length = valueString.length(); + + for (int i = 0; i < length; i++) { - LOG.ignore(e); - throw new BadMessageException(HttpStatus.BAD_REQUEST_400,"Invalid Content-Length Value",e); + char c = valueString.charAt(i); + if (c < '0' || c > '9') + throw new BadMessageException("Invalid Content-Length Value", new NumberFormatException()); + + value = Math.addExact(Math.multiplyExact(value, 10L), c - '0'); } + return value; } /* ------------------------------------------------------------------------------- */ @@ -1485,12 +1488,11 @@ public class HttpParser _methodString=null; _endOfContent=EndOfContent.UNKNOWN_CONTENT; _header=null; - if (quickStart(buffer)) - return true; + quickStart(buffer); } // Request/response line - if (_state.ordinal()>= State.START.ordinal() && _state.ordinal()<State.HEADER.ordinal()) + if (_state.ordinal() < State.HEADER.ordinal()) { if (parseLine(buffer)) return true; @@ -1994,7 +1996,6 @@ public class HttpParser } /* ------------------------------------------------------------------------------- */ - @SuppressWarnings("serial") private static class IllegalCharacterException extends BadMessageException { private IllegalCharacterException(State state,HttpTokens.Token token,ByteBuffer buffer) diff --git a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java index dc340c1..c1d59cd 100644 --- a/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java +++ b/jetty-http/src/test/java/org/eclipse/jetty/http/HttpParserTest.java @@ -23,6 +23,7 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; @@ -1653,7 +1654,7 @@ public class HttpParserTest } @Test - public void testUnknownReponseVersion() throws Exception + public void testUnknownResponseVersion() { ByteBuffer buffer = BufferUtil.toBuffer( "HPPT/7.7 200 OK\r\n" @@ -1797,65 +1798,21 @@ public class HttpParserTest assertEquals(HttpParser.State.CLOSED, parser.getState()); } - @Test - public void testBadContentLength0() throws Exception - { - ByteBuffer buffer = BufferUtil.toBuffer( - "GET / HTTP/1.0\r\n" - + "Content-Length: abc\r\n" - + "Connection: close\r\n" - + "\r\n"); - - HttpParser.RequestHandler handler = new Handler(); - HttpParser parser = new HttpParser(handler); - - parser.parseNext(buffer); - assertEquals("GET", _methodOrVersion); - assertEquals("Invalid Content-Length Value", _bad); - assertFalse(buffer.hasRemaining()); - assertEquals(HttpParser.State.CLOSE, parser.getState()); - parser.atEOF(); - parser.parseNext(BufferUtil.EMPTY_BUFFER); - assertEquals(HttpParser.State.CLOSED, parser.getState()); - } - - @Test - public void testBadContentLength1() throws Exception - { - ByteBuffer buffer = BufferUtil.toBuffer( - "GET / HTTP/1.0\r\n" - + "Content-Length: 9999999999999999999999999999999999999999999999\r\n" - + "Connection: close\r\n" - + "\r\n"); - - HttpParser.RequestHandler handler = new Handler(); - HttpParser parser = new HttpParser(handler); - - parser.parseNext(buffer); - assertEquals("GET", _methodOrVersion); - assertEquals("Invalid Content-Length Value", _bad); - assertFalse(buffer.hasRemaining()); - assertEquals(HttpParser.State.CLOSE, parser.getState()); - parser.atEOF(); - parser.parseNext(BufferUtil.EMPTY_BUFFER); - assertEquals(HttpParser.State.CLOSED, parser.getState()); - } - @Test - public void testBadContentLength2() throws Exception + public void testBadContentLengths(String contentLength) { ByteBuffer buffer = BufferUtil.toBuffer( - "GET / HTTP/1.0\r\n" - + "Content-Length: 1.5\r\n" - + "Connection: close\r\n" - + "\r\n"); + "GET /test HTTP/1.1\r\n" + + "Host: localhost\r\n" + + "Content-Length: " + contentLength + "\r\n" + + "\r\n" + + "1234567890\r\n"); HttpParser.RequestHandler handler = new Handler(); - HttpParser parser = new HttpParser(handler); + HttpParser parser = new HttpParser(handler, HttpCompliance.RFC2616_LEGACY); + parseAll(parser, buffer); - parser.parseNext(buffer); - assertEquals("GET", _methodOrVersion); - assertEquals("Invalid Content-Length Value", _bad); + assertThat(_bad, notNullValue()); assertFalse(buffer.hasRemaining()); assertEquals(HttpParser.State.CLOSE, parser.getState()); parser.atEOF(); @@ -2066,7 +2023,7 @@ public class HttpParserTest @Test public void testBadIPv6Host() throws Exception { - try(StacklessLogging s = new StacklessLogging(HttpParser.class)) + try (StacklessLogging ignored = new StacklessLogging(HttpParser.class)) { ByteBuffer buffer = BufferUtil.toBuffer( "GET / HTTP/1.1\r\n" @@ -2254,8 +2211,8 @@ public class HttpParserTest private String _methodOrVersion; private String _uriOrStatus; private String _versionOrReason; - private List<HttpField> _fields = new ArrayList<>(); - private List<HttpField> _trailers = new ArrayList<>(); + private final List<HttpField> _fields = new ArrayList<>(); + private final List<HttpField> _trailers = new ArrayList<>(); private String[] _hdr; private String[] _val; private int _headers;
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2