Hello, I am working to backport the fix for CVE-2023-46589 to Tomcat version 8.0.14, which is what we have in Debian "jessie". This is under the Extended LTS project for older Debian releases, run by Freexian SARL. <https://www.freexian.com/lts/extended/>
I am having a problem backporting this hunk of the fix: --8<---------------cut here---------------start------------->8--- --- a/java/org/apache/catalina/connector/InputBuffer.java +++ b/java/org/apache/catalina/connector/InputBuffer.java @@ -346,11 +348,23 @@ public class InputBuffer extends Reader try { return coyoteRequest.doRead(bb); } catch (BadRequestException bre) { + // Set flag used by asynchronous processing to detect errors on non-container threads coyoteRequest.setErrorException(bre); + // In synchronous processing, this exception may be swallowed by the application so set error flags here. + coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, bre); + coyoteRequest.getResponse().setStatus(400); + coyoteRequest.setError(); + // Make the exception visible to the application throw bre; } catch (IOException ioe) { + // Set flag used by asynchronous processing to detect errors on non-container threads coyoteRequest.setErrorException(ioe); + // In synchronous processing, this exception may be swallowed by the application so set error flags here. + coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, ioe); + coyoteRequest.getResponse().setStatus(400); + coyoteRequest.setError(); // Any other IOException on a read is almost always due to the remote client aborting the request. + // Make the exception visible to the application throw new ClientAbortException(ioe); } } --8<---------------cut here---------------end--------------->8--- The problem is that coyoteRequest does not have a setError method. I believe that this is because Tomcat 8.0.14 is earlier than commit 662f9f4f0f. I have not been able to determine whether this is important. Can I skip the setError() call, or do I need to call it some other way? Many thanks. -- Sean Whitton --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org