From 681a612e5b7b90c3870851713a6cb13451adf66c Mon Sep 17 00:00:00 2001 From: Jonathan Gallimore Date: Fri, 24 Feb 2023 13:45:29 +0000 Subject: [PATCH] Backport fix for CVE-2023-24998 --- build.properties.default | 24 +++++---- .../apache/catalina/connector/Request.java | 10 +++- .../apache/tomcat/util/http/Parameters.java | 5 ++ .../util/http/fileupload/FileUploadBase.java | 29 +++++++++++ .../impl/FileCountLimitExceededException.java | 50 +++++++++++++++++++ webapps/docs/config/ajp.xml | 15 +++--- webapps/docs/config/http.xml | 15 +++--- 7 files changed, 126 insertions(+), 22 deletions(-) create mode 100644 java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java diff --git a/build.properties.default b/build.properties.default index 7e1a7ebac6..8926333afe 100644 --- a/build.properties.default +++ b/build.properties.default @@ -70,16 +70,16 @@ compile.source=1.6 compile.target=1.6 compile.debug=true -base-apache.loc.1=http://www.apache.org/dist -base-apache.loc.2=http://archive.apache.org/dist +base-apache.loc.1=http://www.apache.org/dyn/closer.lua?action=download&filename= +base-apache.loc.2=https://archive.apache.org/dist base-commons.loc.1=${base-apache.loc.1}/commons base-commons.loc.2=${base-apache.loc.2}/commons base-tomcat.loc.1=${base-apache.loc.1}/tomcat base-tomcat.loc.2=${base-apache.loc.2}/tomcat -base-sf.loc=http://downloads.sourceforge.net +base-sf.loc=https://downloads.sourceforge.net # repo.maven.apache.org is the same as repo2.maven.org -base-maven.loc=http://repo.maven.apache.org/maven2 +base-maven.loc=https://repo.maven.apache.org/maven2 # Mirror, was used when there were problems with the main SF downloads site # base-sf.loc=http://sunet.dl.sourceforge.net @@ -139,17 +139,23 @@ jdt.release=R-4.4.2-201502041700 jdt.home=${base.path}/ecj-${jdt.version} jdt.jar=${jdt.home}/ecj-${jdt.version}.jar # The download will be moved to the archive area eventually. We are taking care of that in advance. -jdt.loc.1=http://archive.eclipse.org/eclipse/downloads/drops4/${jdt.release}/ecj-${jdt.version}.jar -jdt.loc.2=http://download.eclipse.org/eclipse/downloads/drops4/${jdt.release}/ecj-${jdt.version}.jar +jdt.loc.1=https://archive.eclipse.org/eclipse/downloads/drops4/${jdt.release}/ecj-${jdt.version}.jar +jdt.loc.2=https://download.eclipse.org/eclipse/downloads/drops4/${jdt.release}/ecj-${jdt.version}.jar # ----- Tomcat native library ----- -tomcat-native.version=1.1.33 +tomcat-native.version=1.2.24 +tomcat-native.src.checksum.enabled=true +tomcat-native.src.checksum.algorithm=SHA-512 +tomcat-native.src.checksum.value=5dae151a60f8bd5a9a29d63eca838c77174426025ee65a826f0698943494dd3656d50bcd417e220a926b9ce111ea167043d4b806264030e951873d06767b3d6f +tomcat-native.win.checksum.enabled=true +tomcat-native.win.checksum.algorithm=SHA-512 +tomcat-native.win.checksum.value=c2d581f1f602dce61abc36370ce485c805b90863301555fc3d44362b655f34f950d0096fad22895374086f33d4505792c27f83fe35d4aeb87a08215bea8ae74a tomcat-native.home=${base.path}/tomcat-native-${tomcat-native.version} tomcat-native.tar.gz=${tomcat-native.home}/tomcat-native.tar.gz tomcat-native.loc.1=${base-tomcat.loc.1}/tomcat-connectors/native/${tomcat-native.version}/source/tomcat-native-${tomcat-native.version}-src.tar.gz tomcat-native.loc.2=${base-tomcat.loc.2}/tomcat-connectors/native/${tomcat-native.version}/source/tomcat-native-${tomcat-native.version}-src.tar.gz -tomcat-native.win.1=${base-tomcat.loc.1}/tomcat-connectors/native/${tomcat-native.version}/binaries/tomcat-native-${tomcat-native.version}-win32-bin.zip -tomcat-native.win.2=${base-tomcat.loc.2}/tomcat-connectors/native/${tomcat-native.version}/binaries/tomcat-native-${tomcat-native.version}-win32-bin.zip +tomcat-native.win.1=${base-tomcat.loc.1}/tomcat-connectors/native/${tomcat-native.version}/binaries/tomcat-native-${tomcat-native.version}-openssl-1.1.1g-win32-bin.zip +tomcat-native.win.2=${base-tomcat.loc.2}/tomcat-connectors/native/${tomcat-native.version}/binaries/tomcat-native-${tomcat-native.version}-openssl-1.1.1g-win32-bin.zip # ----- Commons DBCP, version 1.1 or later ----- commons-dbcp.version=1.4 diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index dab124528e..9260363385 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -2793,8 +2793,9 @@ private void parseParts() { } } + int maxParameterCount = getConnector().getMaxParameterCount(); Parameters parameters = coyoteRequest.getParameters(); - parameters.setLimit(getConnector().getMaxParameterCount()); + parameters.setLimit(maxParameterCount); boolean success = false; try { @@ -2838,6 +2839,13 @@ private void parseParts() { upload.setFileItemFactory(factory); upload.setFileSizeMax(mce.getMaxFileSize()); upload.setSizeMax(mce.getMaxRequestSize()); + if (maxParameterCount > -1) { + // There is a limit. The limit for parts needs to be reduced by + // the number of parameters we have already parsed. + // Must be under the limit else parsing parameters would have + // triggered an exception. + upload.setFileCountMax(maxParameterCount - parameters.size()); + } parts = new ArrayList(); try { diff --git a/java/org/apache/tomcat/util/http/Parameters.java b/java/org/apache/tomcat/util/http/Parameters.java index c7cd7b4f57..6f3d07fd0a 100644 --- a/java/org/apache/tomcat/util/http/Parameters.java +++ b/java/org/apache/tomcat/util/http/Parameters.java @@ -119,6 +119,11 @@ public void setParseFailedReason(FailReason failReason) { } + public int size() { + return parameterCount; + } + + public void recycle() { parameterCount = 0; paramHashValues.clear(); diff --git a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java index f1546000a1..f6b8571d24 100644 --- a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java +++ b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java @@ -26,6 +26,7 @@ import java.util.Map; import java.util.NoSuchElementException; +import org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException; import org.apache.tomcat.util.http.fileupload.MultipartStream.ItemInputStream; import org.apache.tomcat.util.http.fileupload.util.Closeable; import org.apache.tomcat.util.http.fileupload.util.FileItemHeadersImpl; @@ -134,6 +135,12 @@ public static final boolean isMultipartContent(RequestContext ctx) { * to {@link #sizeMax}. A value of -1 indicates no maximum. */ private long fileSizeMax = -1; + + /** + * The maximum permitted number of files that may be uploaded in a single + * request. A value of -1 indicates no maximum. + */ + private long fileCountMax = -1; /** * The content encoding to use when reading part headers. @@ -210,6 +217,24 @@ public long getFileSizeMax() { public void setFileSizeMax(long fileSizeMax) { this.fileSizeMax = fileSizeMax; } + + /** + * Returns the maximum number of files allowed in a single request. + * + * @return The maximum number of files allowed in a single request. + */ + public long getFileCountMax() { + return fileCountMax; + } + + /** + * Sets the maximum number of files allowed per request/ + * + * @param fileCountMax The new limit. {@code -1} means no limit. + */ + public void setFileCountMax(long fileCountMax) { + this.fileCountMax = fileCountMax; + } /** * Retrieves the character encoding used when reading the headers of an @@ -286,6 +311,10 @@ public List parseRequest(RequestContext ctx) throw new NullPointerException("No FileItemFactory has been set."); } while (iter.hasNext()) { + if (items.size() == fileCountMax) { + // The next item will exceed the limit. + throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax()); + } final FileItemStream item = iter.next(); // Don't use getName() here to prevent an InvalidFileNameException. final String fileName = ((FileItemIteratorImpl.FileItemStreamImpl) item).name; diff --git a/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java b/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java new file mode 100644 index 0000000000..958f681276 --- /dev/null +++ b/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.http.fileupload.impl; + +import org.apache.tomcat.util.http.fileupload.FileUploadException; + +/** + * This exception is thrown if a request contains more files than the specified + * limit. + */ +public class FileCountLimitExceededException extends FileUploadException { + + private static final long serialVersionUID = 2408766352570556046L; + + private final long limit; + + /** + * Creates a new instance. + * + * @param message The detail message + * @param limit The limit that was exceeded + */ + public FileCountLimitExceededException(final String message, final long limit) { + super(message); + this.limit = limit; + } + + /** + * Retrieves the limit that was exceeded. + * + * @return The limit that was exceeded by the request + */ + public long getLimit() { + return limit; + } +} diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml index f655eb4ec2..d5f7745279 100644 --- a/webapps/docs/config/ajp.xml +++ b/webapps/docs/config/ajp.xml @@ -114,12 +114,15 @@ -

The maximum number of parameter and value pairs (GET plus POST) which - will be automatically parsed by the container. Parameter and value pairs - beyond this limit will be ignored. A value of less than 0 means no limit. - If not specified, a default of 10000 is used. Note that - FailedRequestFilter filter can be - used to reject requests that hit the limit.

+

The maximum total number of request parameters (including uploaded + files) obtained from the query string and, for POST requests, the request + body if the content type is + application/x-www-form-urlencoded or + multipart/form-data. Request parameters beyond this limit + will be ignored. A value of less than 0 means no limit. If not specified, + a default of 10000 is used. Note that FailedRequestFilter + filter can be used to reject requests that + exceed the limit.

 diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index 143f24e2b3..d86bdedc7d 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -101,12 +101,15 @@ -

The maximum number of parameter and value pairs (GET plus POST) which - will be automatically parsed by the container. Parameter and value pairs - beyond this limit will be ignored. A value of less than 0 means no limit. - If not specified, a default of 10000 is used. Note that - FailedRequestFilter filter can be - used to reject requests that hit the limit.

+

The maximum total number of request parameters (including uploaded + files) obtained from the query string and, for POST requests, the request + body if the content type is + application/x-www-form-urlencoded or + multipart/form-data. Request parameters beyond this limit + will be ignored. A value of less than 0 means no limit. If not specified, + a default of 10000 is used. Note that FailedRequestFilter + filter can be used to reject requests that + exceed the limit.