From 23417c2e253aea348f0ad96cc14aaafa9b7235b6 Mon Sep 17 00:00:00 2001 From: liyuxiang Date: Mon, 6 Mar 2023 09:38:38 +0800 Subject: [PATCH] CVE-2023-24998 (cherry picked from commit ad7ffd5d835d008cf7a4e80a7fa14931fd5a46b8) --- CVE-2023-24998.patch | 117 +++++++++++++++++++++++++++++++++ apache-commons-fileupload.spec | 8 ++- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-24998.patch diff --git a/CVE-2023-24998.patch b/CVE-2023-24998.patch new file mode 100644 index 0000000..05f05dc --- /dev/null +++ b/CVE-2023-24998.patch @@ -0,0 +1,117 @@ +Description: CVE-2023-24998 + Apache Commons FileUpload before 1.5 does not limit the number of + request parts to be processed resulting in the possibility of an + attacker triggering a DoS with a malicious upload or series of uploads. +Origin: https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17 +Author: Mark Thomas +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031733 +Forwarded: not-needed + +--- /dev/null ++++ b/src/main/java/org/apache/commons/fileupload/FileCountLimitExceededException.java +@@ -0,0 +1,51 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.commons.fileupload; ++ ++/** ++ * This exception is thrown if a request contains more files than the specified ++ * limit. ++ */ ++public class FileCountLimitExceededException extends FileUploadException { ++ ++ private static final long serialVersionUID = 6904179610227521789L; ++ ++ /** ++ * The limit that was exceeded. ++ */ ++ private final long limit; ++ ++ /** ++ * Creates a new instance. ++ * ++ * @param message The detail message ++ * @param limit The limit that was exceeded ++ */ ++ public FileCountLimitExceededException(final String message, final long limit) { ++ super(message); ++ this.limit = limit; ++ } ++ ++ /** ++ * Retrieves the limit that was exceeded. ++ * ++ * @return The limit that was exceeded by the request ++ */ ++ public long getLimit() { ++ return limit; ++ } ++} +--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java ++++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java +@@ -166,6 +166,12 @@ + private long fileSizeMax = -1; + + /** ++ * The maximum permitted number of files that may be uploaded in a single ++ * request. A value of -1 indicates no maximum. ++ */ ++ private long fileCountMax = -1; ++ ++ /** + * The content encoding to use when reading part headers. + */ + private String headerEncoding; +@@ -242,6 +248,25 @@ + } + + /** ++ * Returns the maximum number of files allowed in a single request. ++ * ++ * @return The maximum number of files allowed in a single request. ++ */ ++ public long getFileCountMax() { ++ return fileCountMax; ++ } ++ ++ /** ++ * Sets the maximum number of files allowed per request. ++ * ++ * @param fileCountMax The new limit. {@code -1} means no limit. ++ */ ++ public void setFileCountMax(final long fileCountMax) { ++ this.fileCountMax = fileCountMax; ++ } ++ ++ ++ /** + * Retrieves the character encoding used when reading the headers of an + * individual part. When not specified, or null, the request + * encoding is used. If that is also not specified, or null, +@@ -336,7 +361,11 @@ + throw new NullPointerException("No FileItemFactory has been set."); + } + while (iter.hasNext()) { +- final FileItemStream item = iter.next(); ++ if (items.size() == fileCountMax) { ++ // The next item will exceed the limit. ++ throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax()); ++ } ++ final FileItemStream item = iter.next(); + // Don't use getName() here to prevent an InvalidFileNameException. + final String fileName = ((FileItemIteratorImpl.FileItemStreamImpl) item).name; + FileItem fileItem = fac.createItem(item.getFieldName(), item.getContentType(), diff --git a/apache-commons-fileupload.spec b/apache-commons-fileupload.spec index 128beca..508bab8 100644 --- a/apache-commons-fileupload.spec +++ b/apache-commons-fileupload.spec @@ -1,12 +1,14 @@ %bcond_without portlet Name: apache-commons-fileupload Version: 1.4 -Release: 1 +Release: 2 Summary: API to work with HTML file upload License: ASL 2.0 URL: http://commons.apache.org/fileupload/ BuildArch: noarch Source0: http://archive.apache.org/dist/commons/fileupload/source/commons-fileupload-%{version}-src.tar.gz + +Patch0: CVE-2023-24998.patch BuildRequires: maven-local mvn(commons-io:commons-io) mvn(javax.servlet:servlet-api) BuildRequires: mvn(junit:junit) mvn(org.apache.commons:commons-parent:pom:) %if %{with portlet} @@ -29,6 +31,7 @@ This package contains the API documentation for %{name}. %prep %setup -q -n commons-fileupload-%{version}-src +%patch0 -p1 sed -i 's/\r//' LICENSE.txt sed -i 's/\r//' NOTICE.txt %if %{with portlet} @@ -55,5 +58,8 @@ rm -r src/main/java/org/apache/commons/fileupload/portlet %license LICENSE.txt NOTICE.txt %changelog +* Mon Mar 06 2023 liyuxiang - 1.4-2 +- fix CVE-2023-24998 + * Tue Aug 4 2020 yanan li - 1.4-1 - Package init -- Gitee