This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 82d8b6aaba Follow-up to adding limit to WebDAV bodies
82d8b6aaba is described below
commit 82d8b6aaba697fe6043aa5d991aa7c12b1c5c3f6
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 1 10:10:23 2026 +0100
Follow-up to adding limit to WebDAV bodies
Implements some suggestions from a CoPilot review
---
.../apache/catalina/servlets/WebdavServlet.java | 76 +++++++++++++---------
.../TestWebdavBoundedByteArrayOutputStream.java | 23 +++++++
2 files changed, 68 insertions(+), 31 deletions(-)
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java
b/java/org/apache/catalina/servlets/WebdavServlet.java
index a9e3dfc459..a6ec28a85e 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -846,22 +846,8 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
}
}
- // Short-cut if client provided a content length
- if (req.getContentLengthLong() > maxRequestBodySize) {
- resp.sendError(WebdavStatus.SC_REQUEST_TOO_LONG);
- return;
- }
-
- byte[] body;
- try (InputStream is = req.getInputStream();
- BoundedByteArrayOutputStream os = new
BoundedByteArrayOutputStream(maxRequestBodySize)) {
- IOTools.flow(is, os);
- body = os.toByteArray();
- } catch (IOException ioe) {
- resp.sendError(WebdavStatus.SC_BAD_REQUEST);
- return;
- } catch (ArrayIndexOutOfBoundsException e) {
- resp.sendError(WebdavStatus.SC_REQUEST_TOO_LONG);
+ byte[] body = readRequestBody(req, resp);
+ if (body == null) {
return;
}
if (body.length > 0) {
@@ -1021,6 +1007,41 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
}
+ /**
+ * Read request body
+ *
+ * @param req The request
+ * @param resp The response
+ *
+ * @return {@code null} if the body could not be read and an error status
code has been set, otherwise the request
+ * body as a byte array
+ *
+ * @throws IOException if the reading the body fails and a response status
code cannot be set
+ */
+ private byte[] readRequestBody(HttpServletRequest req, HttpServletResponse
resp) throws IOException {
+ // Short-cut if client provided a content length
+ if (req.getContentLengthLong() > maxRequestBodySize) {
+ resp.sendError(WebdavStatus.SC_REQUEST_TOO_LONG);
+ return null;
+ }
+
+ byte[] body;
+ try (InputStream is = req.getInputStream();
+ BoundedByteArrayOutputStream os = new
BoundedByteArrayOutputStream(maxRequestBodySize)) {
+ IOTools.flow(is, os);
+ body = os.toByteArray();
+ } catch (IOException ioe) {
+ resp.sendError(WebdavStatus.SC_BAD_REQUEST);
+ return null;
+ } catch (ArrayIndexOutOfBoundsException e) {
+ resp.sendError(WebdavStatus.SC_REQUEST_TOO_LONG);
+ return null;
+ }
+
+ return body;
+ }
+
+
/**
* PROPPATCH Method. Dead properties support is a SHOULD in the
specification and are not implemented.
*
@@ -1416,24 +1437,11 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
Node lockInfoNode = null;
- // Short-cut if client provided a content length
- if (req.getContentLengthLong() > maxRequestBodySize) {
- resp.sendError(WebdavStatus.SC_REQUEST_TOO_LONG);
+ byte[] body = readRequestBody(req, resp);
+ if (body == null) {
return;
}
- byte[] body;
- try (InputStream is = req.getInputStream();
- BoundedByteArrayOutputStream os = new
BoundedByteArrayOutputStream(maxRequestBodySize)) {
- IOTools.flow(is, os);
- body = os.toByteArray();
- } catch (IOException ioe) {
- resp.sendError(WebdavStatus.SC_BAD_REQUEST);
- return;
- } catch (ArrayIndexOutOfBoundsException e) {
- resp.sendError(WebdavStatus.SC_REQUEST_TOO_LONG);
- return;
- }
if (body.length > 0) {
DocumentBuilder documentBuilder = getDocumentBuilder();
@@ -3084,6 +3092,12 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
}
super.write(b, off, len);
}
+
+ @Override
+ public synchronized void reset() {
+ size = 0;
+ super.reset();
+ }
}
}
diff --git
a/test/org/apache/catalina/servlets/TestWebdavBoundedByteArrayOutputStream.java
b/test/org/apache/catalina/servlets/TestWebdavBoundedByteArrayOutputStream.java
index b3648c92f6..9a6877419d 100644
---
a/test/org/apache/catalina/servlets/TestWebdavBoundedByteArrayOutputStream.java
+++
b/test/org/apache/catalina/servlets/TestWebdavBoundedByteArrayOutputStream.java
@@ -95,4 +95,27 @@ public class TestWebdavBoundedByteArrayOutputStream {
// Pass
}
}
+
+
+ @Test
+ public void testReset() throws IOException {
+ BoundedByteArrayOutputStream bbaos = new
BoundedByteArrayOutputStream(TEST_LIMIT);
+
+ for (int i = 0; i < TEST_LIMIT; i++) {
+ bbaos.write(ONE_BYTE_ARRAY);
+ }
+
+ bbaos.reset();
+
+ for (int i = 0; i < TEST_LIMIT; i++) {
+ bbaos.write(ONE_BYTE_ARRAY);
+ }
+
+ try {
+ bbaos.write(ONE_BYTE_ARRAY);
+ Assert.fail("Writing 11th byte failed to trigger error");
+ } catch (ArrayIndexOutOfBoundsException e) {
+ // Pass
+ }
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
