Fix CVE-2011-3190

Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
Prevent AJP request forgery via unread request body packet

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc5.5.x/trunk@1162960 13f79535-47bb-0310-9956-ffa450edef68

connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java

@@ -404,11 +404,13 @@ public boolean process(long socket)
                     }
                     continue;
                 } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
-                    // Usually the servlet didn't read the previous request body
-                    if(log.isDebugEnabled()) {
-                        log.debug("Unexpected message: "+type);
+                    // Unexpected packet type. Unread body packets should have
+                    // been swallowed in finish().
+                    if (log.isDebugEnabled()) {
+                        log.debug("Unexpected message: " + type);
                     }
-                    continue;
+                    error = true;
+                    break;
                 }
 
                 keptAlive = true;
@@ -1033,6 +1035,11 @@ protected void finish()
 
         finished = true;
 
+        // Swallow the unread body packet if present
+        if (first && request.getContentLengthLong() > 0) {
+            receive();
+        }
+
         // Add the end message
         if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
             flush();

container/webapps/docs/changelog.xml

@@ -125,6 +125,10 @@
         if it is configured for SSL and an invalid value is provided for
         SSLProtocol. (markt)
       </fix>
+      <fix>
+        <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">