Updated Branches: refs/heads/wicket-6.x c7ed5a0d5 -> b7fe180d8
WICKET-5502 Patch FileUploadBase to fix CVE-2014-0050 Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/b7fe180d Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/b7fe180d Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/b7fe180d Branch: refs/heads/wicket-6.x Commit: b7fe180d850da71b0ac639ff741b0c590b4cd6eb Parents: c7ed5a0 Author: Martin Tzvetanov Grigorov <[email protected]> Authored: Fri Feb 7 15:15:21 2014 +0100 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Fri Feb 7 15:15:21 2014 +0100 ---------------------------------------------------------------------- .../wicket/util/upload/FileUploadBase.java | 25 +++++++++++++++++++- .../util/upload/MultipartFormInputStream.java | 9 ++++++- 2 files changed, 32 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/b7fe180d/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java ---------------------------------------------------------------------- diff --git a/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java b/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java index 808fb42..1bd5a86 100644 --- a/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java +++ b/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java @@ -866,7 +866,16 @@ public abstract class FileUploadBase notifier = new MultipartFormInputStream.ProgressNotifier(listener, ctx.getContentLength()); - multi = new MultipartFormInputStream(input, boundary, notifier); + try + { + multi = new MultipartFormInputStream(input, boundary, notifier); + } + catch (IllegalArgumentException iae) + { + throw new InvalidContentTypeException(String.format( + "The boundary specified in the %s header is too long", + CONTENT_TYPE), iae); + } multi.setHeaderEncoding(charEncoding); skipPreamble = true; @@ -1085,6 +1094,20 @@ public abstract class FileUploadBase { super(message); } + + /** + * Constructs an <code>InvalidContentTypeException</code> with the specified detail message + * and cause. + * + * @param message + * The detail message. + * @param cause + * The real cause + */ + public InvalidContentTypeException(final String message, Throwable cause) + { + super(message, cause); + } } /** http://git-wip-us.apache.org/repos/asf/wicket/blob/b7fe180d/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java ---------------------------------------------------------------------- diff --git a/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java b/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java index 337f4eb..1602715 100644 --- a/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java +++ b/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java @@ -321,9 +321,15 @@ public class MultipartFormInputStream // We prepend CR/LF to the boundary to chop trailng CR/LF from // body-data tokens. - this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length]; boundaryLength = boundary.length + BOUNDARY_PREFIX.length; + if (bufSize < this.boundaryLength + 1) + { + throw new IllegalArgumentException( + "The buffer size specified for the MultipartFormInputStream is too small"); + } + this.boundary = new byte[this.boundaryLength]; keepRegion = this.boundary.length; + System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0, BOUNDARY_PREFIX.length); System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length, boundary.length); @@ -346,6 +352,7 @@ public class MultipartFormInputStream * * @see #MultipartFormInputStream(InputStream, byte[], int, * MultipartFormInputStream.ProgressNotifier) + * @throws IllegalArgumentException If the buffer size is too small */ MultipartFormInputStream(final InputStream input, final byte[] boundary, final ProgressNotifier pNotifier)
