packages/tomcat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
tomcat/CVE-2024-54677-3.patch
wk333 ebb0431a51 Fix CVE-2024-50379 CVE-2024-54677 
(cherry picked from commit 37b6fbcf4c334035b8423e43c24b2bea2397c27f)
2024-12-18 11:02:40 +08:00

138 lines
6.2 KiB
Diff
Raw Blame History

From 84065e26ca4555e63a922bb29b13b0a1c86b7654 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 2 Dec 2024 18:09:44 +0000
Subject: [PATCH] Add a limit of 10 attributes per session to the session
example
Origin: https://github.com/apache/tomcat/commit/84065e26ca4555e63a922bb29b13b0a1c86b7654
---
webapps/docs/changelog.xml | 4 +
.../WEB-INF/classes/SessionExample.java | 94 ++++++++++++-------
2 files changed, 64 insertions(+), 34 deletions(-)
diff --git a/webapps/examples/WEB-INF/classes/SessionExample.java b/webapps/examples/WEB-INF/classes/SessionExample.java
index b3de2f866956..60eaa2e03e4b 100644
--- a/webapps/examples/WEB-INF/classes/SessionExample.java
+++ b/webapps/examples/WEB-INF/classes/SessionExample.java
@@ -41,6 +41,9 @@ public class SessionExample extends HttpServlet {
private static final long serialVersionUID = 1L;
+ private static final int SESSION_ATTRIBUTE_COUNT_LIMIT = 10;
+
+
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
ResourceBundle rb = ResourceBundle.getBundle("LocalStrings", request.getLocale());
@@ -76,15 +79,34 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro
out.println(rb.getString("sessions.lastaccessed") + " ");
out.println(new Date(session.getLastAccessedTime()));
+ // Count the existing attributes
+ int sessionAttributeCount = 0;
+ Enumeration<String> names = session.getAttributeNames();
+ while (names.hasMoreElements()) {
+ names.nextElement();
+ sessionAttributeCount++;
+ }
+
String dataName = request.getParameter("dataname");
String dataValue = request.getParameter("datavalue");
if (dataName != null) {
- session.setAttribute(dataName, dataValue);
+ if (dataValue == null) {
+ session.removeAttribute(dataName);
+ sessionAttributeCount--;
+ } else if (sessionAttributeCount < SESSION_ATTRIBUTE_COUNT_LIMIT) {
+ session.setAttribute(dataName, dataValue);
+ sessionAttributeCount++;
+ } else {
+ out.print("<p> Session attribute [");
+ out.print(HTMLFilter.filter(dataName));
+ out.print("] not added as there are already "+ SESSION_ATTRIBUTE_COUNT_LIMIT + " attributes in the ");
+ out.println("session. Delete an attribute before adding another.");
+ }
}
- out.println("<P>");
+ out.println("<p>");
out.println(rb.getString("sessions.data") + "<br>");
- Enumeration<String> names = session.getAttributeNames();
+ names = session.getAttributeNames();
while (names.hasMoreElements()) {
String name = names.nextElement();
String value = session.getAttribute(name).toString();
@@ -96,37 +118,41 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro
out.println("<br>");
}
- out.println("<P>");
- out.print("<form action=\"");
- out.print(response.encodeURL("SessionExample"));
- out.print("\" ");
- out.println("method=POST>");
- out.println(rb.getString("sessions.dataname"));
- out.println("<input type=text size=20 name=dataname>");
- out.println("<br>");
- out.println(rb.getString("sessions.datavalue"));
- out.println("<input type=text size=20 name=datavalue>");
- out.println("<br>");
- out.println("<input type=submit>");
- out.println("</form>");
-
- out.println("<P>GET based form:<br>");
- out.print("<form action=\"");
- out.print(response.encodeURL("SessionExample"));
- out.print("\" ");
- out.println("method=GET>");
- out.println(rb.getString("sessions.dataname"));
- out.println("<input type=text size=20 name=dataname>");
- out.println("<br>");
- out.println(rb.getString("sessions.datavalue"));
- out.println("<input type=text size=20 name=datavalue>");
- out.println("<br>");
- out.println("<input type=submit>");
- out.println("</form>");
-
- out.print("<p><a href=\"");
- out.print(HTMLFilter.filter(response.encodeURL("SessionExample?dataname=exampleName&datavalue=exampleValue")));
- out.println("\" >URL encoded </a>");
+ if (sessionAttributeCount < SESSION_ATTRIBUTE_COUNT_LIMIT) {
+ out.println("<p>");
+ out.print("<form action=\"");
+ out.print(response.encodeURL("SessionExample"));
+ out.print("\" ");
+ out.println("method=POST>");
+ out.println(rb.getString("sessions.dataname"));
+ out.println("<input type=text size=20 name=dataname>");
+ out.println("<br>");
+ out.println(rb.getString("sessions.datavalue"));
+ out.println("<input type=text size=20 name=datavalue>");
+ out.println("<br>");
+ out.println("<input type=submit>");
+ out.println("</form>");
+
+ out.println("<p>GET based form:<br>");
+ out.print("<form action=\"");
+ out.print(response.encodeURL("SessionExample"));
+ out.print("\" ");
+ out.println("method=GET>");
+ out.println(rb.getString("sessions.dataname"));
+ out.println("<input type=text size=20 name=dataname>");
+ out.println("<br>");
+ out.println(rb.getString("sessions.datavalue"));
+ out.println("<input type=text size=20 name=datavalue>");
+ out.println("<br>");
+ out.println("<input type=submit>");
+ out.println("</form>");
+
+ out.print("<p><a href=\"");
+ out.print(HTMLFilter.filter(response.encodeURL("SessionExample?dataname=exampleName&datavalue=exampleValue")));
+ out.println("\" >URL encoded </a>");
+ } else {
+ out.print("<p>You may not add more than " + SESSION_ATTRIBUTE_COUNT_LIMIT + " attributes to this session.");
+ }
out.println("</body>");
out.println("</html>");
Reference in New Issue View Git Blame Copy Permalink