Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Fix CVE-2011-3190 Prevent AJP request forgery via unread request body packet git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1162957 13f79535-47bb-0310-9956-ffa450edef68
apache · Aug 29, 2011 · a2538ce · a2538ce
1 parent 3513acc
commit a2538ce
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 13 deletions.
diff --git a/java/org/apache/coyote/ajp/AbstractAjpProcessor.java b/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
@@ -985,6 +985,11 @@ protected void finish() throws IOException {
 
         finished = true;
 
+        // Swallow the unread body packet if present
+        if (first && request.getContentLengthLong() > 0) {
+            receive();
+        }
+
         // Add the end message
         if (error) {
             output(endAndCloseMessageArray, 0, endAndCloseMessageArray.length);

diff --git a/java/org/apache/coyote/ajp/AjpAprProcessor.java b/java/org/apache/coyote/ajp/AjpAprProcessor.java
@@ -140,11 +140,13 @@ public SocketState process(SocketWrapper<Long> socket)
                     }
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
-                    continue;
+                    error = true;
+                    break;
                 }
 
                 keptAlive = true;

diff --git a/java/org/apache/coyote/ajp/AjpNioProcessor.java b/java/org/apache/coyote/ajp/AjpNioProcessor.java
@@ -126,12 +126,14 @@ public SocketState process(SocketWrapper<NioChannel> socket)
                     recycle(false);
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
+                    error = true;
                     recycle(true);
-                    continue;
+                    break;
                 }
                 request.setStartTime(System.currentTimeMillis());
             } catch (IOException e) {

diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -143,13 +143,14 @@ public SocketState process(SocketWrapper<Socket> socket)
                     }
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
-                    continue;
+                    error = true;
+                    break;
                 }
-
                 request.setStartTime(System.currentTimeMillis());
             } catch (IOException e) {
                 error = true;