New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Various cleanups in HttpParser (CVE-2023-40167) #10329
Conversation
Various cleanups in HttpParser Signed-off-by: gregw <gregw@webtide.com>
Various cleanups in HttpParser Signed-off-by: gregw <gregw@webtide.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got a leftover printStackTrace there.
jetty-client/src/test/java/org/eclipse/jetty/client/http/HttpReceiverOverHTTPTest.java
Outdated
Show resolved
Hide resolved
Various cleanups in HttpParser Signed-off-by: gregw <gregw@webtide.com>
jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
Outdated
Show resolved
Hide resolved
jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
Outdated
Show resolved
Hide resolved
if (c < '0' || c > '9') | ||
throw new BadMessageException("Invalid Content-Length Value", new NumberFormatException()); | ||
|
||
value = Math.addExact(Math.multiplyExact(value, 10), c - '0'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addExact
and multiplyExact
throw ArithmeticException
, that we should catch and convert to BadMessageException
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is already caught in parseNext
and converted to a BadMessageException
there. We don't need to catch inside a catch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gregw before, NumberFormatException
was caught here and converted, that's why I raised this comment.
Also, we can be more precise with the exception message saying "invalid content-length", rather than just an ArithmeticException
with no message.
I'd prefer to catch and rethrow, but I can live as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sbordet I'd prefer to avoid the tiny cost of an extra try catch in critical path code to give a slightly better error message to a bad client.
update after review Signed-off-by: gregw <gregw@webtide.com>
jetty-http/src/main/java/org/eclipse/jetty/http/HttpParser.java
Outdated
Show resolved
Hide resolved
if (c < '0' || c > '9') | ||
throw new BadMessageException("Invalid Content-Length Value", new NumberFormatException()); | ||
|
||
value = Math.addExact(Math.multiplyExact(value, 10), c - '0'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gregw before, NumberFormatException
was caught here and converted, that's why I raised this comment.
Also, we can be more precise with the exception message saying "invalid content-length", rather than just an ArithmeticException
with no message.
I'd prefer to catch and rethrow, but I can live as is.
crime against formatting resolved Signed-off-by: gregw <gregw@webtide.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved.
Don't forget to backport to 9.4.x
Various cleanups in HttpParser: