1
Description: fix AJP request spoofing and authentication bypass
2
Origin: upstream, http://svn.apache.org/viewvc?rev=1162959&view=rev
3
Bug-Ubuntu: https://bugs.launchpad.net/bugs/843701
4
Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=50189
5
Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
7
Index: tomcat6-6.0.28/java/org/apache/coyote/ajp/AjpAprProcessor.java
8
===================================================================
9
--- tomcat6-6.0.28.orig/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-20 10:33:13.541588195 -0400
10
+++ tomcat6-6.0.28/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011-09-20 10:33:38.251588001 -0400
14
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
15
- // Usually the servlet didn't read the previous request body
16
- if(log.isDebugEnabled()) {
17
- log.debug("Unexpected message: "+type);
18
+ // Unexpected packet type. Unread body packets should have
19
+ // been swallowed in finish().
20
+ if (log.isDebugEnabled()) {
21
+ log.debug("Unexpected message: " + type);
29
@@ -1026,6 +1028,11 @@
33
+ // Swallow the unread body packet if present
34
+ if (first && request.getContentLengthLong() > 0) {
38
// Add the end message
39
if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) {
41
Index: tomcat6-6.0.28/java/org/apache/coyote/ajp/AjpProcessor.java
42
===================================================================
43
--- tomcat6-6.0.28.orig/java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-20 10:33:20.851588140 -0400
44
+++ tomcat6-6.0.28/java/org/apache/coyote/ajp/AjpProcessor.java 2011-09-20 10:33:40.801587980 -0400
48
} else if(type != Constants.JK_AJP13_FORWARD_REQUEST) {
49
- // Usually the servlet didn't read the previous request body
50
- if(log.isDebugEnabled()) {
51
- log.debug("Unexpected message: "+type);
52
+ // Unexpected packet type. Unread body packets should have
53
+ // been swallowed in finish().
54
+ if (log.isDebugEnabled()) {
55
+ log.debug("Unexpected message: " + type);
62
request.setStartTime(System.currentTimeMillis());
63
@@ -1031,6 +1033,11 @@
67
+ // Swallow the unread body packet if present
68
+ if (first && request.getContentLengthLong() > 0) {
72
// Add the end message
73
output.write(endMessageArray);