From d582cb1745e3ac3c07305da6c34b6272cf5354e0 Mon Sep 17 00:00:00 2001 From: srowen Date: Sat, 8 May 2010 20:56:31 +0000 Subject: [PATCH] Tighten up some stuff I saw from the logs git-svn-id: http://zxing.googlecode.com/svn/trunk@1344 59b500cc-1b3d-0410-9834-0bbf25fbcc57 --- .../client/androidtest/BenchmarkActivity.java | 3 +- .../decoder/DecodedBitStreamParser.java | 8 +++++- .../com/google/zxing/web/DecodeServlet.java | 28 +++++++++++++------ .../src/com/google/zxing/web/DoSFilter.java | 14 +--------- 4 files changed, 28 insertions(+), 25 deletions(-) diff --git a/androidtest/src/com/google/zxing/client/androidtest/BenchmarkActivity.java b/androidtest/src/com/google/zxing/client/androidtest/BenchmarkActivity.java index 6b308082..002fc857 100755 --- a/androidtest/src/com/google/zxing/client/androidtest/BenchmarkActivity.java +++ b/androidtest/src/com/google/zxing/client/androidtest/BenchmarkActivity.java @@ -79,8 +79,7 @@ public final class BenchmarkActivity extends Activity { List items = (List) message.obj; int count = 0; int time = 0; - for (int x = 0; x < items.size(); x++) { - BenchmarkItem item = items.get(x); + for (BenchmarkItem item : items) { if (item != null) { Log.v(TAG, item.toString()); count++; diff --git a/core/src/com/google/zxing/datamatrix/decoder/DecodedBitStreamParser.java b/core/src/com/google/zxing/datamatrix/decoder/DecodedBitStreamParser.java index ccea54fe..16ce63d6 100644 --- a/core/src/com/google/zxing/datamatrix/decoder/DecodedBitStreamParser.java +++ b/core/src/com/google/zxing/datamatrix/decoder/DecodedBitStreamParser.java @@ -420,7 +420,8 @@ final class DecodedBitStreamParser { /** * See ISO 16022:2006, 5.2.9 and Annex B, B.2 */ - private static void decodeBase256Segment(BitSource bits, StringBuffer result, Vector byteSegments) { + private static void decodeBase256Segment(BitSource bits, StringBuffer result, Vector byteSegments) + throws FormatException { // Figure out how long the Base 256 Segment is. int d1 = bits.readBits(8); int count; @@ -433,6 +434,11 @@ final class DecodedBitStreamParser { } byte[] bytes = new byte[count]; for (int i = 0; i < count; i++) { + // Have seen this particular error in the wild, such as at + // http://www.bcgen.com/demo/IDAutomationStreamingDataMatrix.aspx?MODE=3&D=Fred&PFMT=3&PT=F&X=0.3&O=0&LM=0.2 + if (bits.available() < 8) { + throw FormatException.getFormatInstance(); + } bytes[i] = unrandomize255State(bits.readBits(8), i); } byteSegments.addElement(bytes); diff --git a/zxingorg/src/com/google/zxing/web/DecodeServlet.java b/zxingorg/src/com/google/zxing/web/DecodeServlet.java index e84c2cd3..936155d7 100644 --- a/zxingorg/src/com/google/zxing/web/DecodeServlet.java +++ b/zxingorg/src/com/google/zxing/web/DecodeServlet.java @@ -62,10 +62,8 @@ import java.io.IOException; import java.io.InputStream; import java.io.OutputStreamWriter; import java.io.Writer; -import java.net.SocketException; import java.net.URI; import java.net.URISyntaxException; -import java.net.UnknownHostException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -90,7 +88,10 @@ import javax.servlet.http.HttpServletResponse; */ public final class DecodeServlet extends HttpServlet { + // No real reason to let people upload more than a 2MB image private static final long MAX_IMAGE_SIZE = 2000000L; + // No real reason to deal with more than maybe 2.5 megapixels + private static final int MAX_PIXELS = 1 << 16; private static final Logger log = Logger.getLogger(DecodeServlet.class.getName()); @@ -148,6 +149,8 @@ public final class DecodeServlet extends HttpServlet { return; } + imageURIString = imageURIString.trim(); + if (!(imageURIString.startsWith("http://") || imageURIString.startsWith("https://"))) { imageURIString = "http://" + imageURIString; } @@ -176,12 +179,12 @@ public final class DecodeServlet extends HttpServlet { getRequest.abort(); response.sendRedirect("badurl.jspx"); return; - } catch (SocketException se) { - // Thrown if hostname is bad or null - getRequest.abort(); - response.sendRedirect("badurl.jspx"); - return; - } catch (UnknownHostException uhe) { + } catch (IOException ioe) { + // Encompasses lots of stuff, including + // java.net.SocketException, java.net.UnknownHostException, + // javax.net.ssl.SSLPeerUnverifiedException, + // org.apache.http.NoHttpResponseException, + // org.apache.http.client.ClientProtocolException, getRequest.abort(); response.sendRedirect("badurl.jspx"); return; @@ -255,14 +258,21 @@ public final class DecodeServlet extends HttpServlet { try { image = ImageIO.read(is); } catch (IOException ioe) { + // Includes javax.imageio.IIOException response.sendRedirect("badimage.jspx"); return; } catch (CMMException cmme) { // Have seen this in logs response.sendRedirect("badimage.jspx"); return; + } catch (IllegalArgumentException iae) { + // Have seen this in logs for some JPEGs + response.sendRedirect("badimage.jspx"); + return; } - if (image == null) { + if (image == null || + image.getHeight() <= 1 || image.getWidth() >= 1 || + image.getHeight() * image.getWidth() > MAX_PIXELS) { response.sendRedirect("badimage.jspx"); return; } diff --git a/zxingorg/src/com/google/zxing/web/DoSFilter.java b/zxingorg/src/com/google/zxing/web/DoSFilter.java index 177fc2bc..7c9fa77d 100755 --- a/zxingorg/src/com/google/zxing/web/DoSFilter.java +++ b/zxingorg/src/com/google/zxing/web/DoSFilter.java @@ -27,13 +27,11 @@ import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.net.InetAddress; import java.net.UnknownHostException; -import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.Set; import java.util.Timer; import java.util.TimerTask; -import java.util.regex.Pattern; /** * A {@link Filter} that rejects requests from hosts that are sending too many @@ -46,29 +44,20 @@ public final class DoSFilter implements Filter { private static final int MAX_ACCESSES_PER_IP_PER_TIME = 10; private static final long MAX_ACCESS_INTERVAL_MSEC = 10L * 1000L; private static final long UNBAN_INTERVAL_MSEC = 60L * 60L * 1000L; - private static final Pattern COMMA_PATTERN = Pattern.compile(","); private final IPTrie numRecentAccesses; private final Timer timer; private final Set bannedIPAddresses; - private final Collection manuallyBannedIPAddresses; private ServletContext context; public DoSFilter() { numRecentAccesses = new IPTrie(); timer = new Timer("DosFilter reset timer"); bannedIPAddresses = Collections.synchronizedSet(new HashSet()); - manuallyBannedIPAddresses = new HashSet(); } public void init(FilterConfig filterConfig) { context = filterConfig.getServletContext(); - String bannedIPs = filterConfig.getInitParameter("bannedIPs"); - if (bannedIPs != null) { - for (String ip : COMMA_PATTERN.split(bannedIPs)) { - manuallyBannedIPAddresses.add(ip.trim()); - } - } timer.scheduleAtFixedRate(new ResetTask(), 0L, MAX_ACCESS_INTERVAL_MSEC); timer.scheduleAtFixedRate(new UnbanTask(), 0L, UNBAN_INTERVAL_MSEC); } @@ -86,8 +75,7 @@ public final class DoSFilter implements Filter { private boolean isBanned(ServletRequest request) { String remoteIPAddressString = request.getRemoteAddr(); - if (bannedIPAddresses.contains(remoteIPAddressString) || - manuallyBannedIPAddresses.contains(remoteIPAddressString)) { + if (bannedIPAddresses.contains(remoteIPAddressString)) { return true; } InetAddress remoteIPAddress; -- 2.20.1