[UNDERTOW-2334] CVE-2024-6162 AJP Parser: Do not share the decodeBuff…

…er StringBuilder instance between requests Signed-off-by: Flavia Rainone <frainone@redhat.com>
undertow-io · Jun 20, 2024 · 90f202a · 90f202a
1 parent 5ed2b4f
commit 90f202a
Showing 1 changed file with 1 addition and 4 deletions.
diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java
@@ -77,7 +77,6 @@ public class AjpRequestParser {
     private final boolean slashDecodingFlag;
     private final int maxParameters;
     private final int maxHeaders;
-    private StringBuilder decodeBuffer;
     private final boolean allowUnescapedCharactersInUrl;
     private final Pattern allowedRequestAttributesPattern;
 
@@ -509,9 +508,7 @@ public void parse(final ByteBuffer buf, final AjpRequestParseState state, final
     private String decode(String url, final boolean containsUrlCharacters) throws UnsupportedEncodingException {
         if (doDecode && containsUrlCharacters) {
             try {
-                if(decodeBuffer == null) {
-                    decodeBuffer = new StringBuilder();
-                }
+                final StringBuilder decodeBuffer = new StringBuilder();
                 return URLUtils.decode(url, this.encoding, slashDecodingFlag, false, decodeBuffer);
             } catch (Exception e) {
                 throw UndertowMessages.MESSAGES.failedToDecodeURL(url, encoding, e);