Backporting patch for CVE-2023-46589 to Tomcat 8.0.14

Sun, 17 Dec 2023 08:32:57 -0800 

Hello,

I am working to backport the fix for CVE-2023-46589 to Tomcat version
8.0.14, which is what we have in Debian "jessie".  This is under the
Extended LTS project for older Debian releases, run by Freexian SARL.
    <https://www.freexian.com/lts/extended/>

I am having a problem backporting this hunk of the fix:

--8<---------------cut here---------------start------------->8---
--- a/java/org/apache/catalina/connector/InputBuffer.java
+++ b/java/org/apache/catalina/connector/InputBuffer.java
@@ -346,11 +348,23 @@ public class InputBuffer extends Reader
         try {
             return coyoteRequest.doRead(bb);
         } catch (BadRequestException bre) {
+            // Set flag used by asynchronous processing to detect errors on 
non-container threads
             coyoteRequest.setErrorException(bre);
+            // In synchronous processing, this exception may be swallowed by 
the application so set error flags here.
+            coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, bre);
+            coyoteRequest.getResponse().setStatus(400);
+            coyoteRequest.setError();
+            // Make the exception visible to the application
             throw bre;
         } catch (IOException ioe) {
+            // Set flag used by asynchronous processing to detect errors on 
non-container threads
             coyoteRequest.setErrorException(ioe);
+            // In synchronous processing, this exception may be swallowed by 
the application so set error flags here.
+            coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, ioe);
+            coyoteRequest.getResponse().setStatus(400);
+            coyoteRequest.setError();
             // Any other IOException on a read is almost always due to the 
remote client aborting the request.
+            // Make the exception visible to the application
             throw new ClientAbortException(ioe);
         }
     }
--8<---------------cut here---------------end--------------->8---

The problem is that coyoteRequest does not have a setError method.
I believe that this is because Tomcat 8.0.14 is earlier than commit
662f9f4f0f.  I have not been able to determine whether this is
important.  Can I skip the setError() call, or do I need to call it some
other way?

Many thanks.

-- 
Sean Whitton

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to