This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push: new bbf76e4 Ensure that the entire global XSLT file is read if one is defined. bbf76e4 is described below commit bbf76e4c301197cd0c12299cf495d988283616f9 Author: Mark Thomas <ma...@apache.org> AuthorDate: Fri May 17 17:03:56 2019 +0100 Ensure that the entire global XSLT file is read if one is defined. Identified by Coverity Scan. --- .../apache/catalina/servlets/DefaultServlet.java | 29 +++++++++++++--------- java/org/apache/catalina/util/IOTools.java | 20 +++++++++++++++ webapps/docs/changelog.xml | 4 +++ 3 files changed, 41 insertions(+), 12 deletions(-) diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java index 02e4e9e..16ba71d 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java @@ -68,6 +68,7 @@ import javax.xml.transform.stream.StreamSource; import org.apache.catalina.Globals; import org.apache.catalina.connector.RequestFacade; import org.apache.catalina.connector.ResponseFacade; +import org.apache.catalina.util.IOTools; import org.apache.catalina.util.RequestUtil; import org.apache.catalina.util.ServerInfo; import org.apache.catalina.util.URLEncoder; @@ -1745,17 +1746,22 @@ public class DefaultServlet File f = validateGlobalXsltFile(); if (f != null){ FileInputStream fis = null; - try { - fis = new FileInputStream(f); - byte b[] = new byte[(int)f.length()]; /* danger! */ - fis.read(b); - return new StreamSource(new ByteArrayInputStream(b)); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException ioe) { - // Ignore + long globalXsltFileSize = f.length(); + if (globalXsltFileSize > Integer.MAX_VALUE) { + log("globalXsltFile [" + f.getAbsolutePath() + "] is too big to buffer"); + } else { + try { + fis = new FileInputStream(f); + byte b[] = new byte[(int)f.length()]; + IOTools.readFully(fis, b); + return new StreamSource(new ByteArrayInputStream(b)); + } finally { + if (fis != null) { + try { + fis.close(); + } catch (IOException ioe) { + // Ignore + } } } } @@ -1763,7 +1769,6 @@ public class DefaultServlet } return null; - } diff --git a/java/org/apache/catalina/util/IOTools.java b/java/org/apache/catalina/util/IOTools.java index 77090dd..d7ae3bb 100644 --- a/java/org/apache/catalina/util/IOTools.java +++ b/java/org/apache/catalina/util/IOTools.java @@ -86,4 +86,24 @@ public class IOTools { byte[] buf = new byte[DEFAULT_BUFFER_SIZE]; flow( is, os, buf ); } + + + /** + * Read until EOF or the buffer is filled. + * + * @param is The source to read from + * @param buf The buffer to write to + * + * @return The number of bytes read + * + * @throws IOException If an I/O error occurs during the read + */ + public static int readFully(InputStream is, byte[] buf) throws IOException { + int bytesRead = 0; + int read; + while (bytesRead < buf.length && ((read = is.read(buf, bytesRead, buf.length - bytesRead)) >= 0)) { + bytesRead += read; + } + return bytesRead; + } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 3a4eafd..50b4a15 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -100,6 +100,10 @@ serialization with mem-cached. Patch provided by Martin Lemanski. (markt) </fix> + <fix> + Ensure that the default servlet reads the entire global XSLT file if + one is defined. Identified by Coverity Scan. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org