packages/netty
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
netty/CVE-2021-21295-pre1.patch

241 lines
12 KiB
Diff
Raw Normal View History

fix CVE-2021-21295 CVE-2021-21409
2021-04-06 15:28:11 +08:00
From bcb62be62bd989c0292e0f8e22a51127907cefdc Mon Sep 17 00:00:00 2001
From: Bennett Lynch <bennett.lynch@gmail.com>
Date: Thu, 11 Jun 2020 22:39:10 -0700
Subject: [PATCH] Consolidate HttpObjectDecoder default values into
constants (#10344)
Motivation
HttpObjectDecoder and its associated classes make frequent use of
default values for maxInitialLineLength, maxHeaderSize, maxChunkSize,
etc. Today, these defaults are defined in-line in constructors and
duplicated across many classes. This repetition is more prone to error
and inconsistencies.
Furthermore, due to the current lack of builder support, if a user wants
to change just one of these values (e.g., maxHeaderSize), they are also
required to know and repeat the other default values (e.g.,
maxInitialLineLength and maxChunkSize).
The primary motivation for this change is as we are considering adding
another constructor parameter (for multiple content length behavior),
appending this parameter may require some users to have prior knowledge
of the default initialBufferSize, and it would be cleaner to allow them
to reference the default constant.
Modifications
* Consolidate the HttpObjectDecoder default values into public constants
* Reference these constants where possible
Result
No functional change. Additional telescoping constructors will be easier
and safer to write. Users may have an easier experience changing single
parameters.
---
.../netty/handler/codec/http/HttpClientCodec.java | 6 +++++-
.../handler/codec/http/HttpObjectDecoder.java | 15 ++++++++++++---
.../handler/codec/http/HttpRequestDecoder.java | 7 ++++---
.../handler/codec/http/HttpResponseDecoder.java | 7 ++++---
.../netty/handler/codec/http/HttpServerCodec.java | 6 +++++-
.../io/netty/handler/codec/rtsp/RtspDecoder.java | 10 ----------
.../handler/codec/rtsp/RtspObjectDecoder.java | 4 +++-
7 files changed, 33 insertions(+), 22 deletions(-)
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpClientCodec.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpClientCodec.java
index da4c440466..a832bfdff3 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/http/HttpClientCodec.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/HttpClientCodec.java
@@ -28,6 +28,10 @@ import java.util.List;
import java.util.Queue;
import java.util.concurrent.atomic.AtomicLong;
+import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_CHUNK_SIZE;
+import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_HEADER_SIZE;
+import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_INITIAL_LINE_LENGTH;
+
/**
* A combination of {@link HttpRequestEncoder} and {@link HttpResponseDecoder}
* which enables easier client side HTTP implementation. {@link HttpClientCodec}
@@ -61,7 +65,7 @@ public final class HttpClientCodec extends CombinedChannelDuplexHandler<HttpResp
* {@code maxChunkSize (8192)}).
*/
public HttpClientCodec() {
- this(4096, 8192, 8192, false);
+ this(DEFAULT_MAX_INITIAL_LINE_LENGTH, DEFAULT_MAX_HEADER_SIZE, DEFAULT_MAX_CHUNK_SIZE, false);
}
/**
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java
index e39ed9e48a..d4caf29c6d 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java
@@ -100,6 +100,13 @@ import java.util.List;
* implement all abstract methods properly.
*/
public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
+ public static final int DEFAULT_MAX_INITIAL_LINE_LENGTH = 4096;
+ public static final int DEFAULT_MAX_HEADER_SIZE = 8192;
+ public static final boolean DEFAULT_CHUNKED_SUPPORTED = true;
+ public static final int DEFAULT_MAX_CHUNK_SIZE = 8192;
+ public static final boolean DEFAULT_VALIDATE_HEADERS = true;
+ public static final int DEFAULT_INITIAL_BUFFER_SIZE = 128;
+
private static final String EMPTY_VALUE = "";
private final int maxChunkSize;
@@ -145,7 +152,8 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
* {@code maxChunkSize (8192)}.
*/
protected HttpObjectDecoder() {
- this(4096, 8192, 8192, true);
+ this(DEFAULT_MAX_INITIAL_LINE_LENGTH, DEFAULT_MAX_HEADER_SIZE, DEFAULT_MAX_CHUNK_SIZE,
+ DEFAULT_CHUNKED_SUPPORTED);
}
/**
@@ -153,7 +161,7 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
*/
protected HttpObjectDecoder(
int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean chunkedSupported) {
- this(maxInitialLineLength, maxHeaderSize, maxChunkSize, chunkedSupported, true);
+ this(maxInitialLineLength, maxHeaderSize, maxChunkSize, chunkedSupported, DEFAULT_VALIDATE_HEADERS);
}
/**
@@ -162,7 +170,8 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
protected HttpObjectDecoder(
int maxInitialLineLength, int maxHeaderSize, int maxChunkSize,
boolean chunkedSupported, boolean validateHeaders) {
- this(maxInitialLineLength, maxHeaderSize, maxChunkSize, chunkedSupported, validateHeaders, 128);
+ this(maxInitialLineLength, maxHeaderSize, maxChunkSize, chunkedSupported, validateHeaders,
+ DEFAULT_INITIAL_BUFFER_SIZE);
}
protected HttpObjectDecoder(
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpRequestDecoder.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpRequestDecoder.java
index 24252c7358..70c1db5540 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/http/HttpRequestDecoder.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/HttpRequestDecoder.java
@@ -67,18 +67,19 @@ public class HttpRequestDecoder extends HttpObjectDecoder {
*/
public HttpRequestDecoder(
int maxInitialLineLength, int maxHeaderSize, int maxChunkSize) {
- super(maxInitialLineLength, maxHeaderSize, maxChunkSize, true);
+ super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED);
}
public HttpRequestDecoder(
int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders) {
- super(maxInitialLineLength, maxHeaderSize, maxChunkSize, true, validateHeaders);
+ super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED, validateHeaders);
}
public HttpRequestDecoder(
int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders,
int initialBufferSize) {
- super(maxInitialLineLength, maxHeaderSize, maxChunkSize, true, validateHeaders, initialBufferSize);
+ super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED, validateHeaders,
+ initialBufferSize);
}
@Override
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpResponseDecoder.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpResponseDecoder.java
index c6351c47bf..39d4d6a5ad 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/http/HttpResponseDecoder.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/HttpResponseDecoder.java
@@ -98,18 +98,19 @@ public class HttpResponseDecoder extends HttpObjectDecoder {
*/
public HttpResponseDecoder(
int maxInitialLineLength, int maxHeaderSize, int maxChunkSize) {
- super(maxInitialLineLength, maxHeaderSize, maxChunkSize, true);
+ super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED);
}
public HttpResponseDecoder(
int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders) {
- super(maxInitialLineLength, maxHeaderSize, maxChunkSize, true, validateHeaders);
+ super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED, validateHeaders);
}
public HttpResponseDecoder(
int maxInitialLineLength, int maxHeaderSize, int maxChunkSize, boolean validateHeaders,
int initialBufferSize) {
- super(maxInitialLineLength, maxHeaderSize, maxChunkSize, true, validateHeaders, initialBufferSize);
+ super(maxInitialLineLength, maxHeaderSize, maxChunkSize, DEFAULT_CHUNKED_SUPPORTED, validateHeaders,
+ initialBufferSize);
}
@Override
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpServerCodec.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpServerCodec.java
index a009df1145..8ae6295cf7 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/http/HttpServerCodec.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/http/HttpServerCodec.java
@@ -23,6 +23,10 @@ import java.util.ArrayDeque;
import java.util.List;
import java.util.Queue;
+import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_CHUNK_SIZE;
+import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_HEADER_SIZE;
+import static io.netty.handler.codec.http.HttpObjectDecoder.DEFAULT_MAX_INITIAL_LINE_LENGTH;
+
/**
* A combination of {@link HttpRequestDecoder} and {@link HttpResponseEncoder}
* which enables easier server side HTTP implementation.
@@ -41,7 +45,7 @@ public final class HttpServerCodec extends CombinedChannelDuplexHandler<HttpRequ
* {@code maxChunkSize (8192)}).
*/
public HttpServerCodec() {
- this(4096, 8192, 8192);
+ this(DEFAULT_MAX_INITIAL_LINE_LENGTH, DEFAULT_MAX_HEADER_SIZE, DEFAULT_MAX_CHUNK_SIZE);
}
/**
diff --git a/codec-http/src/main/java/io/netty/handler/codec/rtsp/RtspDecoder.java b/codec-http/src/main/java/io/netty/handler/codec/rtsp/RtspDecoder.java
index acc028978f..b2a353d298 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/rtsp/RtspDecoder.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/rtsp/RtspDecoder.java
@@ -71,16 +71,6 @@ public class RtspDecoder extends HttpObjectDecoder {
*/
private static final Pattern versionPattern = Pattern.compile("RTSP/\\d\\.\\d");
- /**
- * Constant for default max initial line length.
- */
- public static final int DEFAULT_MAX_INITIAL_LINE_LENGTH = 4096;
-
- /**
- * Constant for default max header size.
- */
- public static final int DEFAULT_MAX_HEADER_SIZE = 8192;
-
/**
* Constant for default max content length.
*/
diff --git a/codec-http/src/main/java/io/netty/handler/codec/rtsp/RtspObjectDecoder.java b/codec-http/src/main/java/io/netty/handler/codec/rtsp/RtspObjectDecoder.java
index e52c0ce51e..69b8ebb1f0 100644
--- a/codec-http/src/main/java/io/netty/handler/codec/rtsp/RtspObjectDecoder.java
+++ b/codec-http/src/main/java/io/netty/handler/codec/rtsp/RtspObjectDecoder.java
@@ -20,6 +20,8 @@ import io.netty.handler.codec.TooLongFrameException;
import io.netty.handler.codec.http.HttpMessage;
import io.netty.handler.codec.http.HttpObjectDecoder;
+import static io.netty.handler.codec.rtsp.RtspDecoder.DEFAULT_MAX_CONTENT_LENGTH;
+
/**
* Decodes {@link ByteBuf}s into RTSP messages represented in
* {@link HttpMessage}s.
@@ -59,7 +61,7 @@ public abstract class RtspObjectDecoder extends HttpObjectDecoder {
* {@code maxContentLength (8192)}.
*/
protected RtspObjectDecoder() {
- this(4096, 8192, 8192);
+ this(DEFAULT_MAX_INITIAL_LINE_LENGTH, DEFAULT_MAX_HEADER_SIZE, DEFAULT_MAX_CONTENT_LENGTH);
}
/**
--
2.23.0
Reference in New Issue Copy Permalink