From ad1ed706c2f190db2083f938704ed50c398d7454 Mon Sep 17 00:00:00 2001 From: liuhaipeng 00050065 Date: Thu, 28 Dec 2023 14:51:22 +0800 Subject: [PATCH] Fix --- CVE-2023-24998.patch | 252 +++++++++++++++++++++++++++++++++++++++++++ tomcat.spec | 6 +- 2 files changed, 257 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-24998.patch diff --git a/CVE-2023-24998.patch b/CVE-2023-24998.patch new file mode 100644 index 0000000..c81926c --- /dev/null +++ b/CVE-2023-24998.patch @@ -0,0 +1,252 @@ +From cf77cc545de0488fb89e24294151504a7432df74 Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Tue, 13 Dec 2022 17:55:34 +0000 +Subject: [PATCH] Update packaged renamed fork of Commons File Upload + + +--- + .../apache/catalina/connector/Request.java | 12 ++++- + .../apache/tomcat/util/http/Parameters.java | 4 ++ + .../util/http/fileupload/FileUploadBase.java | 29 +++++++++++ + .../impl/FileCountLimitExceededException.java | 50 +++++++++++++++++++ + webapps/docs/changelog.xml | 8 +++ + webapps/docs/config/ajp.xml | 15 +++--- + webapps/docs/config/http.xml | 15 +++--- + 7 files changed, 119 insertions(+), 14 deletions(-) + create mode 100644 java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java + +diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java +index 889d5e7..87ab732 100644 +--- a/java/org/apache/catalina/connector/Request.java ++++ b/java/org/apache/catalina/connector/Request.java +@@ -2769,8 +2769,9 @@ public class Request implements HttpServletRequest { + } + } + +- Parameters parameters = coyoteRequest.getParameters(); +- parameters.setLimit(getConnector().getMaxParameterCount()); ++ int maxParameterCount = getConnector().getMaxParameterCount(); ++ Parameters parameters = coyoteRequest.getParameters(); ++ parameters.setLimit(maxParameterCount); + + boolean success = false; + try { +@@ -2814,6 +2815,13 @@ public class Request implements HttpServletRequest { + upload.setFileItemFactory(factory); + upload.setFileSizeMax(mce.getMaxFileSize()); + upload.setSizeMax(mce.getMaxRequestSize()); ++ if (maxParameterCount > -1) { ++ // There is a limit. The limit for parts needs to be reduced by ++ // the number of parameters we have already parsed. ++ // Must be under the limit else parsing parameters would have ++ // triggered an exception. ++ upload.setFileCountMax(maxParameterCount - parameters.size()); ++ } + + parts = new ArrayList<>(); + try { +diff --git a/java/org/apache/tomcat/util/http/Parameters.java b/java/org/apache/tomcat/util/http/Parameters.java +index 5bd9ba7..08c6ffd 100644 +--- a/java/org/apache/tomcat/util/http/Parameters.java ++++ b/java/org/apache/tomcat/util/http/Parameters.java +@@ -124,6 +124,10 @@ public final class Parameters { + } + } + ++ public int size() { ++ return parameterCount; ++ } ++ + + public void recycle() { + parameterCount = 0; +diff --git a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java +index eb5a487..5506754 100644 +--- a/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java ++++ b/java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java +@@ -26,6 +26,7 @@ import java.util.Locale; + import java.util.Map; + import java.util.NoSuchElementException; + ++import org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException; + import org.apache.tomcat.util.http.fileupload.MultipartStream.ItemInputStream; + import org.apache.tomcat.util.http.fileupload.util.Closeable; + import org.apache.tomcat.util.http.fileupload.util.FileItemHeadersImpl; +@@ -131,6 +132,12 @@ public abstract class FileUploadBase { + * to {@link #sizeMax}. A value of -1 indicates no maximum. + */ + private long fileSizeMax = -1; ++ ++ /** ++ * The maximum permitted number of files that may be uploaded in a single ++ * request. A value of -1 indicates no maximum. ++ */ ++ private long fileCountMax = -1; + + /** + * The content encoding to use when reading part headers. +@@ -208,6 +215,24 @@ public abstract class FileUploadBase { + this.fileSizeMax = fileSizeMax; + } + ++ /** ++ * Returns the maximum number of files allowed in a single request. ++ * ++ * @return The maximum number of files allowed in a single request. ++ */ ++ public long getFileCountMax() { ++ return fileCountMax; ++ } ++ ++ /** ++ * Sets the maximum number of files allowed per request/ ++ * ++ * @param fileCountMax The new limit. {@code -1} means no limit. ++ */ ++ public void setFileCountMax(long fileCountMax) { ++ this.fileCountMax = fileCountMax; ++ } ++ + /** + * Retrieves the character encoding used when reading the headers of an + * individual part. When not specified, or null, the request +@@ -283,6 +308,10 @@ public abstract class FileUploadBase { + throw new NullPointerException("No FileItemFactory has been set."); + } + while (iter.hasNext()) { ++ if (items.size() == fileCountMax) { ++ // The next item will exceed the limit. ++ throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax()); ++ } + final FileItemStream item = iter.next(); + // Don't use getName() here to prevent an InvalidFileNameException. + final String fileName = ((FileItemIteratorImpl.FileItemStreamImpl) item).name; +diff --git a/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java b/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java +new file mode 100644 +index 0000000..958f681 +--- /dev/null ++++ b/java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java +@@ -0,0 +1,50 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.tomcat.util.http.fileupload.impl; ++ ++import org.apache.tomcat.util.http.fileupload.FileUploadException; ++ ++/** ++ * This exception is thrown if a request contains more files than the specified ++ * limit. ++ */ ++public class FileCountLimitExceededException extends FileUploadException { ++ ++ private static final long serialVersionUID = 2408766352570556046L; ++ ++ private final long limit; ++ ++ /** ++ * Creates a new instance. ++ * ++ * @param message The detail message ++ * @param limit The limit that was exceeded ++ */ ++ public FileCountLimitExceededException(final String message, final long limit) { ++ super(message); ++ this.limit = limit; ++ } ++ ++ /** ++ * Retrieves the limit that was exceeded. ++ * ++ * @return The limit that was exceeded by the request ++ */ ++ public long getLimit() { ++ return limit; ++ } ++} +diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml +index 835b0d0..0268d87 100644 +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -44,6 +44,14 @@ + They eventually become mixed with the numbered issues. (I.e., numbered + issues do not "pop up" wrt. others). + --> ++ ++ ++ ++ Update the internal fork of Apache Commons FileUpload to 34eb241 ++ (2023-01-03, 2.0-SNAPSHOT). (markt) ++ ++ ++ +
+ + +diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml +index 622e7ca..38c5269 100644 +--- a/webapps/docs/config/ajp.xml ++++ b/webapps/docs/config/ajp.xml +@@ -114,12 +114,15 @@ + + + +-

The maximum number of parameter and value pairs (GET plus POST) which +- will be automatically parsed by the container. Parameter and value pairs +- beyond this limit will be ignored. A value of less than 0 means no limit. +- If not specified, a default of 10000 is used. Note that +- FailedRequestFilter filter can be +- used to reject requests that hit the limit.

++

The maximum total number of request parameters (including uploaded ++ files) obtained from the query string and, for POST requests, the request ++ body if the content type is ++ application/x-www-form-urlencoded or ++ multipart/form-data. Request parameters beyond this limit ++ will be ignored. A value of less than 0 means no limit. If not specified, ++ a default of 10000 is used. Note that FailedRequestFilter ++ filter can be used to reject requests that ++ exceed the limit.

+ + + +diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml +index 3902c9a..52ad063 100644 +--- a/webapps/docs/config/http.xml ++++ b/webapps/docs/config/http.xml +@@ -111,12 +111,15 @@ + + + +-

The maximum number of parameter and value pairs (GET plus POST) which +- will be automatically parsed by the container. Parameter and value pairs +- beyond this limit will be ignored. A value of less than 0 means no limit. +- If not specified, a default of 10000 is used. Note that +- FailedRequestFilter filter can be +- used to reject requests that hit the limit.

++

The maximum total number of request parameters (including uploaded ++ files) obtained from the query string and, for POST requests, the request ++ body if the content type is ++ application/x-www-form-urlencoded or ++ multipart/form-data. Request parameters beyond this limit ++ will be ignored. A value of less than 0 means no limit. If not specified, ++ a default of 10000 is used. Note that FailedRequestFilter ++ filter can be used to reject requests that ++ exceed the limit.

+ + + +-- +2.33.0 diff --git a/tomcat.spec b/tomcat.spec index acbf3ed..6b0ecca 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -13,7 +13,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 30 +Release: 31 Summary: Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies License: ASL 2.0 URL: http://tomcat.apache.org/ @@ -106,6 +106,7 @@ Patch6071: CVE-2023-28708-pre.patch Patch6072: CVE-2023-28708.patch Patch6073: CVE-2023-41080.patch Patch6074: CVE-2023-45648.patch +Patch6075: CVE-2023-24998.patch BuildRequires: ecj >= 1:4.6.1 findutils apache-commons-collections apache-commons-daemon BuildRequires: apache-commons-dbcp apache-commons-pool tomcat-taglibs-standard ant @@ -506,6 +507,9 @@ fi %{_javadocdir}/%{name} %changelog +* Thu Dec 28 2023 liuhaipeng - 1:9.0.10-31 +- Fix CVE-2023-24998 + * Fri Oct 20 2023 wangkai <13474090681@163.com> - 1:9.0.10-30 - Fix CVE-2023-45648 -- Gitee