git commit: WICKET-5502 Patch FileUploadBase to fix CVE-2014-0050

Fri, 07 Feb 2014 06:18:48 -0800 

Updated Branches:
  refs/heads/wicket-1.5.x 97d79a172 -> 5c55ea30a


WICKET-5502 Patch FileUploadBase to fix CVE-2014-0050

(cherry picked from commit b7fe180d850da71b0ac639ff741b0c590b4cd6eb)


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/5c55ea30
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/5c55ea30
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/5c55ea30

Branch: refs/heads/wicket-1.5.x
Commit: 5c55ea30ad372f208caa51544eab4a7777e1f3b8
Parents: 97d79a1
Author: Martin Tzvetanov Grigorov <[email protected]>
Authored: Fri Feb 7 15:15:21 2014 +0100
Committer: Martin Tzvetanov Grigorov <[email protected]>
Committed: Fri Feb 7 15:16:01 2014 +0100

----------------------------------------------------------------------
 .../wicket/util/upload/FileUploadBase.java      | 25 +++++++++++++++++++-
 .../util/upload/MultipartFormInputStream.java   |  9 ++++++-
 2 files changed, 32 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/5c55ea30/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
----------------------------------------------------------------------
diff --git 
a/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java 
b/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
index 6119aed..be270b7 100644
--- 
a/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
+++ 
b/wicket-util/src/main/java/org/apache/wicket/util/upload/FileUploadBase.java
@@ -859,7 +859,16 @@ public abstract class FileUploadBase
 
                        notifier = new 
MultipartFormInputStream.ProgressNotifier(listener,
                                ctx.getContentLength());
-                       multi = new MultipartFormInputStream(input, boundary, 
notifier);
+                       try
+                       {
+                               multi = new MultipartFormInputStream(input, 
boundary, notifier);
+                       }
+                       catch (IllegalArgumentException iae)
+                       {
+                               throw new 
InvalidContentTypeException(String.format(
+                                       "The boundary specified in the %s 
header is too long",
+                                       CONTENT_TYPE), iae);
+                       }
                        multi.setHeaderEncoding(charEncoding);
 
                        skipPreamble = true;
@@ -1076,6 +1085,20 @@ public abstract class FileUploadBase
                {
                        super(message);
                }
+
+               /**
+                * Constructs an <code>InvalidContentTypeException</code> with 
the specified detail message
+                * and cause.
+                *
+                * @param message
+                *            The detail message.
+                * @param cause
+                *            The real cause
+                */
+               public InvalidContentTypeException(final String message, 
Throwable cause)
+               {
+                       super(message, cause);
+               }
        }
 
        /**

http://git-wip-us.apache.org/repos/asf/wicket/blob/5c55ea30/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
----------------------------------------------------------------------
diff --git 
a/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
 
b/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
index bc19a0e..5d4a96e 100644
--- 
a/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
+++ 
b/wicket-util/src/main/java/org/apache/wicket/util/upload/MultipartFormInputStream.java
@@ -365,9 +365,15 @@ public class MultipartFormInputStream
 
                // We prepend CR/LF to the boundary to chop trailng CR/LF from
                // body-data tokens.
-               this.boundary = new byte[boundary.length + 
BOUNDARY_PREFIX.length];
                boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+               if (bufSize < this.boundaryLength + 1)
+               {
+                       throw new IllegalArgumentException(
+                               "The buffer size specified for the 
MultipartFormInputStream is too small");
+               }
+               this.boundary = new byte[this.boundaryLength];
                keepRegion = this.boundary.length;
+
                System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0, 
BOUNDARY_PREFIX.length);
                System.arraycopy(boundary, 0, this.boundary, 
BOUNDARY_PREFIX.length, boundary.length);
 
@@ -390,6 +396,7 @@ public class MultipartFormInputStream
         * 
         * @see #MultipartFormInputStream(InputStream, byte[], int,
         *      MultipartFormInputStream.ProgressNotifier)
+        * @throws IllegalArgumentException If the buffer size is too small
         */
        MultipartFormInputStream(final InputStream input, final byte[] boundary,
                final ProgressNotifier pNotifier)

Reply via email to