This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 49641adc06 Allow two overlapping ranges but no more.
49641adc06 is described below
commit 49641adc065a56ab3ae32b2f0db6b9176ef90652
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Dec 4 09:32:38 2024 +0000
Allow two overlapping ranges but no more.
---
.../org/apache/catalina/servlets/DefaultServlet.java | 20 ++++++++++++++++----
.../servlets/TestDefaultServletRangeRequests.java | 9 ++++++---
2 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java
b/java/org/apache/catalina/servlets/DefaultServlet.java
index 95633e7bc4..201883945b 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1251,6 +1251,7 @@ public class DefaultServlet extends HttpServlet {
private static boolean validate(Ranges ranges, long length) {
List<long[]> rangeContext = new ArrayList<>();
+ int overlapCount = 0;
for (Ranges.Entry range : ranges.getEntries()) {
long start = getStart(range, length);
long end = getEnd(range, length);
@@ -1258,8 +1259,16 @@ public class DefaultServlet extends HttpServlet {
// Invalid range
return false;
}
- // See https://www.rfc-editor.org/rfc/rfc9110.html#status.416
- // No good reason for ranges to overlap so always reject
+ /*
+ * See https://www.rfc-editor.org/rfc/rfc9110.html#name-range and
+ * https://www.rfc-editor.org/rfc/rfc9110.html#status.416
+ *
+ * The server MAY ignore or reject Range headers with:
+ *
+ * - "Many" (undefined) small ranges not in ascending order - not
currently enforced.
+ *
+ * - More than two overlapping ranges (enforced)
+ */
for (long[] r : rangeContext) {
long s2 = r[0];
long e2 = r[1];
@@ -1269,8 +1278,11 @@ public class DefaultServlet extends HttpServlet {
// If not { s1>e2 || s2>e1 } then overlap
// De Morgan's law
if (start <= e2 && s2 <= end) {
- // isOverlap
- return false;
+ overlapCount++;
+ // Off by one is deliberate. There is 1 more overlapping
range than there are overlaps.
+ if (overlapCount > 1) {
+ return false;
+ }
}
}
rangeContext.add(new long[] { start, end });
diff --git
a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
index ccd41fbc26..170787c06c 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServletRangeRequests.java
@@ -63,9 +63,12 @@ public class TestDefaultServletRangeRequests extends
TomcatBaseTest {
parameterSets.add(new Object[] { "bytes=b-10", null,
Integer.valueOf(416), "", "*/" + len });
// Invalid ranges (out of range)
parameterSets.add(new Object[] { "bytes=1000-2000", null,
Integer.valueOf(416), "", "*/" + len });
- // Invalid overlapping ranges
- parameterSets.add(new Object[] { "bytes=1-100, 30-50", null,
Integer.valueOf(416), "", "*/" + len });
- parameterSets.add(new Object[] { "bytes=1-100, 90-150", null,
Integer.valueOf(416), "", "*/" + len });
+ // Valid overlapping ranges (up to 2)
+ parameterSets.add(new Object[] { "bytes=1-100, 30-50", null,
Integer.valueOf(206), "", "30-50/" + len });
+ parameterSets.add(new Object[] { "bytes=1-100, 90-150", null,
Integer.valueOf(206), "", "1-100/" + len });
+ // Invalid overlapping ranges (3 or more)
+ parameterSets.add(new Object[] { "bytes=1-100, 30-50, 10-20", null,
Integer.valueOf(416), "", "*/" + len });
+ parameterSets.add(new Object[] { "bytes=1-100, 90-150, 10-20", null,
Integer.valueOf(416), "", "*/" + len });
// Invalid no equals
parameterSets.add(new Object[] { "bytes 1-10", null,
Integer.valueOf(416), "", "*/" + len });
parameterSets.add(new Object[] { "bytes1-10", null,
Integer.valueOf(416), "", "*/" + len });
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
