Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Fix CVE-2011-3190
Prevent AJP request forgery via unread request body packet

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1162958 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/coyote/ajp/AbstractAjpProcessor.java

@@ -985,6 +985,11 @@ protected void finish() throws IOException {
 
         finished = true;
 
+        // Swallow the unread body packet if present
+        if (first && request.getContentLengthLong() > 0) {
+            receive();
+        }
+
         // Add the end message
         if (error) {
             output(endAndCloseMessageArray, 0, endAndCloseMessageArray.length);

java/org/apache/coyote/ajp/AjpAprProcessor.java

@@ -140,11 +140,13 @@ public SocketState process(SocketWrapper<Long> socket)
                     }
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
-                    continue;
+                    error = true;
+                    break;
                 }
 
                 keptAlive = true;

java/org/apache/coyote/ajp/AjpNioProcessor.java

@@ -126,12 +126,14 @@ public SocketState process(SocketWrapper<NioChannel> socket)
                     recycle(false);
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
+                    error = true;
                     recycle(true);
-                    continue;
+                    break;
                 }
                 request.setStartTime(System.currentTimeMillis());
             } catch (IOException e) {

java/org/apache/coyote/ajp/AjpProcessor.java

@@ -143,13 +143,14 @@ public SocketState process(SocketWrapper<Socket> socket)
                     }
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
-                    continue;
+                    error = true;
+                    break;
                 }
-
                 request.setStartTime(System.currentTimeMillis());
             } catch (IOException e) {
                 error = true;

webapps/docs/changelog.xml

@@ -131,6 +131,10 @@
         Detect incomplete AJP messages and reject the associated request if one
         is found. (markt) 
       </add>
+      <fix>
+        <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">