Merge pull request #1860 from fl4via/backport-fixes_2.3.x

[UNDERTOW-2653 / 2605 / 2582 / 2534 / 2609 / 2377 / 2656 / 2674 / 2668] CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Backport fixes to branch 2.3.x

Author: fl4via

.github/workflows/ci.yml

@@ -59,7 +59,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        module: [core]
+        module: [core, servlet, websockets-jsr]
         jdk: [11, 17, 21]
         openjdk_impl: [ temurin ]
         openssl: [false, true]

build.metadata

@@ -0,0 +1,15 @@
+# Created by buildmetadata-maven-plugin 1.7.0 ( SHA: 6f444cae ) 
+build.artifactId=undertow-websockets-jsr
+build.groupId=io.undertow
+build.java.compiler=HotSpot 64-Bit Tiered Compilers
+build.java.runtime.name=OpenJDK Runtime Environment
+build.java.runtime.version=1.8.0_422-b05
+build.java.vendor=Red Hat, Inc.
+build.java.vm=OpenJDK 64-Bit Server VM
+build.maven.execution.cmdline=-Djavax.net.ssl.trustStore\=/home/aogburn/bin/builder/maven.truststore -Djavax.net.ssl.trustStorePassword\=rhmaven -s /home/aogburn/bin/builder/eap-build-settings.xml clean install -DskipTests
+build.maven.version=3.9.6
+build.scmRevision.date=17.09.2024
+build.scmRevision.id=aaa36f6ad214aecd7d0d611cad582aa058f3a3e8
+build.scmRevision.url=scm\:git\://github.com/undertow-io/undertow.git/undertow-websockets-jsr
+build.version=2.2.33.SP2-redhat-00001
+build.version.full=2.2.33.SP2-redhat-00001raaa36f6ad214aecd7d0d611cad582aa058f3a3e8

core/src/main/java/io/undertow/Handlers.java

@@ -32,6 +32,7 @@
 import io.undertow.server.handlers.DisableCacheHandler;
 import io.undertow.server.handlers.ExceptionHandler;
 import io.undertow.server.handlers.GracefulShutdownHandler;
+import io.undertow.server.handlers.HostHeaderHandler;
 import io.undertow.server.handlers.HttpContinueAcceptingHandler;
 import io.undertow.server.handlers.HttpContinueReadHandler;
 import io.undertow.server.handlers.HttpTraceHandler;
@@ -600,6 +601,17 @@ public static LearningPushHandler learningPushHandler(int maxEntries, HttpHandle
         return new LearningPushHandler(maxEntries, -1, next);
     }
 
+    /**
+     * Creates a handler that automatically vets Host header content/absence/presence according to
+     * https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 and related
+     *
+     * @param next The next handler
+     * @return A host header handler
+     */
+    public static HostHeaderHandler hostHeaderHandler(HttpHandler next) {
+        return new HostHeaderHandler(next);
+    }
+
     private Handlers() {
 
     }

core/src/main/java/io/undertow/UndertowLogger.java

@@ -488,4 +488,8 @@ void nodeConfigCreated(URI connectionURI, String balancer, String domain, String
     @LogMessage(level = WARN)
     @Message(id = 5107, value = "Failed to set web socket timeout.")
     void failedToSetWSTimeout(@Cause Exception e);
+
+    @LogMessage(level = WARN)
+    @Message(id = 5108, value = "Configuration option is no longer supported: %s.")
+    void configurationNotSupported(String string);
 }

core/src/main/java/io/undertow/UndertowOptions.java

@@ -51,9 +51,14 @@ public class UndertowOptions {
     public static final Option<Long> MULTIPART_MAX_ENTITY_SIZE = Option.simple(UndertowOptions.class, "MULTIPART_MAX_ENTITY_SIZE", Long.class);
 
     /**
-     * We do not have a default upload limit
+     * Default maximum upload size 2MB
      */
-    public static final long DEFAULT_MAX_ENTITY_SIZE = -1;
+    public static final long DEFAULT_MAX_ENTITY_SIZE = 2097152;
+
+    /**
+     * Default maximum multipart upload size 2MB
+     */
+    public static final long DEFAULT_MULTIPART_MAX_ENTITY_SIZE = 2097152;
 
     /**
      * If we should buffer pipelined requests. Defaults to false.

core/src/main/java/io/undertow/attribute/QueryStringAttribute.java

@@ -42,7 +42,7 @@ private QueryStringAttribute(boolean includeQuestionMark) {
 
     @Override
     public String readAttribute(final HttpServerExchange exchange) {
-        String qs = exchange.getQueryString();
+        String qs = exchange.getDecodedQueryString();
         if(qs.isEmpty() || !includeQuestionMark) {
             return qs;
         }

core/src/main/java/io/undertow/attribute/RequestLineAttribute.java

@@ -42,9 +42,9 @@ public String readAttribute(final HttpServerExchange exchange) {
                 .append(exchange.getRequestMethod().toString())
                 .append(' ')
                 .append(exchange.getRequestURI());
-        if (!exchange.getQueryString().isEmpty()) {
+        if (!exchange.getDecodedQueryString().isEmpty()) {
             sb.append('?');
-            sb.append(exchange.getQueryString());
+            sb.append(exchange.getDecodedQueryString());
         }
         sb.append(' ')
                 .append(exchange.getProtocol().toString()).toString();

core/src/main/java/io/undertow/conduits/FixedLengthStreamSourceConduit.java

@@ -371,6 +371,11 @@ private void exitRead(long consumed, Throwable readError) throws IOException {
         }
         long newVal = oldVal - consumed;
         state = newVal;
+        if (allAreClear(state, MASK_COUNT)) {
+            if (allAreClear(state, FLAG_FINISHED)) {
+                next.suspendReads();
+            }
+        }
     }
 
     private void invokeFinishListener() {

core/src/main/java/io/undertow/security/handlers/SinglePortConfidentialityHandler.java

@@ -65,7 +65,7 @@ protected URI getRedirectURI(final HttpServerExchange exchange, final int port)
             }
         }
         uriBuilder.append(uri);
-        final String queryString = exchange.getQueryString();
+        final String queryString = exchange.getDecodedQueryString();
         if (queryString != null && !queryString.isEmpty()) {
             uriBuilder.append("?").append(queryString);
         }

core/src/main/java/io/undertow/security/impl/DigestAuthenticationMechanism.java

@@ -235,17 +235,17 @@ private AuthenticationMechanismOutcome handleDigestHeader(HttpServerExchange exc
         if(parsedHeader.containsKey(DigestAuthorizationToken.DIGEST_URI)) {
             String uri = parsedHeader.get(DigestAuthorizationToken.DIGEST_URI);
             String requestURI = exchange.getRequestURI();
-            if(!exchange.getQueryString().isEmpty()) {
-                requestURI = requestURI + "?" + exchange.getQueryString();
+            if(!exchange.getDecodedQueryString().isEmpty()) {
+                requestURI = requestURI + "?" + exchange.getDecodedQueryString();
             }
             if(!uri.equals(requestURI)) {
                 //it is possible we were given an absolute URI
                 //we reconstruct the URI from the host header to make sure they match up
                 //I am not sure if this is overly strict, however I think it is better
                 //to be safe than sorry
                 requestURI = exchange.getRequestURL();
-                if(!exchange.getQueryString().isEmpty()) {
-                    requestURI = requestURI + "?" + exchange.getQueryString();
+                if(!exchange.getDecodedQueryString().isEmpty()) {
+                    requestURI = requestURI + "?" + exchange.getDecodedQueryString();
                 }
                 if(!uri.equals(requestURI)) {
                     //just end the auth process