CVE-2013-4322

@@ -128,7 +128,7 @@ public class ChunkedInputFilter implements InputFilter {
     /**
      * Limit for trailer size.
      */
-    private int maxTrailerSize;
+    private final int maxTrailerSize;
 
     /**
      * Size of extensions processed for this request.

@@ -251,6 +251,9 @@
         protects against misbehaving clients that may not sent the request body
         in that case and send the next request instead. (markt)
       </add>
+      <fix>
+        Improve the parsing of trailing headers in HTTP requests. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

@@ -128,7 +128,7 @@ public class ChunkedInputFilter implements InputFilter {
     /**
      * Limit for trailer size.
      */
-    private int maxTrailerSize;
+    private final int maxTrailerSize;
 
     /**
      * Size of extensions processed for this request.

@@ -125,6 +125,11 @@ public class ChunkedInputFilter implements InputFilter {
     private final long maxExtensionSize;
 
 
+    /**
+     * Limit for trailer size.
+     */
+    private int maxTrailerSize;
+
     /**
      * Size of extensions processed for this request.
      */
@@ -135,6 +140,7 @@ public class ChunkedInputFilter implements InputFilter {
     public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize) {
         this.trailingHeaders.setLimit(maxTrailerSize);
         this.maxExtensionSize = maxExtensionSize;
+        this.maxTrailerSize = maxTrailerSize;
     }
 
     // ---------------------------------------------------- InputBuffer Methods
@@ -264,6 +270,7 @@ public void recycle() {
         endChunk = false;
         needCRLFParse = false;
         trailingHeaders.recycle();
+        trailingHeaders.setLimit(maxTrailerSize);
         extensionSize = 0;
     }
 
@@ -326,7 +333,10 @@ protected boolean parseChunkHeader()
             if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) {
                 parseCRLF(false);
                 eol = true;
-            } else if (buf[pos] == Constants.SEMI_COLON) {
+            } else if (buf[pos] == Constants.SEMI_COLON && !extension) {
+                // First semi-colon marks the start of the extension. Further
+                // semi-colons may appear to separate multiple chunk-extensions.
+                // These need to be processed as part of parsing the extensions.
                 extension = true;
                 extensionSize++;
             } else if (!extension) {
@@ -342,7 +352,9 @@ protected boolean parseChunkHeader()
                     return false;
                 }
             } else {
-                // extension
+                // Extension 'parsing'
+                // Note that the chunk-extension is neither parsed nor
+                // validated. Currently it is simply ignored.
                 extensionSize++;
                 if (maxExtensionSize > -1 && extensionSize > maxExtensionSize) {
                     throw new IOException("maxExtensionSize exceeded");
@@ -511,6 +523,13 @@ private boolean parseHeader() throws IOException {
                 chr = buf[pos];
                 if ((chr == Constants.SP) || (chr == Constants.HT)) {
                     pos++;
+                    // If we swallow whitespace, make sure it counts towards the
+                    // limit placed on trailing header size
+                    int newlimit = trailingHeaders.getLimit() -1;
+                    if (trailingHeaders.getEnd() > newlimit) {
+                        throw new IOException("Exceeded maxTrailerSize");
+                    }
+                    trailingHeaders.setLimit(newlimit);
                 } else {
                     space = false;
                 }

@@ -125,6 +125,11 @@ public class ChunkedInputFilter implements InputFilter {
     private final long maxExtensionSize;
 
 
+    /**
+     * Limit for trailer size.
+     */
+    private int maxTrailerSize;
+
     /**
      * Size of extensions processed for this request.
      */
@@ -135,6 +140,7 @@ public class ChunkedInputFilter implements InputFilter {
     public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize) {
         this.trailingHeaders.setLimit(maxTrailerSize);
         this.maxExtensionSize = maxExtensionSize;
+        this.maxTrailerSize = maxTrailerSize;
     }
 
     // ---------------------------------------------------- InputBuffer Methods
@@ -264,6 +270,7 @@ public void recycle() {
         endChunk = false;
         needCRLFParse = false;
         trailingHeaders.recycle();
+        trailingHeaders.setLimit(maxTrailerSize);
         extensionSize = 0;
     }
 
@@ -326,7 +333,10 @@ protected boolean parseChunkHeader()
             if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) {
                 parseCRLF(false);
                 eol = true;
-            } else if (buf[pos] == Constants.SEMI_COLON) {
+            } else if (buf[pos] == Constants.SEMI_COLON && !extension) {
+                // First semi-colon marks the start of the extension. Further
+                // semi-colons may appear to separate multiple chunk-extensions.
+                // These need to be processed as part of parsing the extensions.
                 extension = true;
                 extensionSize++;
             } else if (!extension) {
@@ -342,7 +352,9 @@ protected boolean parseChunkHeader()
                     return false;
                 }
             } else {
-                // extension
+                // Extension 'parsing'
+                // Note that the chunk-extension is neither parsed nor
+                // validated. Currently it is simply ignored.
                 extensionSize++;
                 if (maxExtensionSize > -1 && extensionSize > maxExtensionSize) {
                     throw new IOException("maxExtensionSize exceeded");
@@ -501,6 +513,13 @@ private boolean parseHeader() throws IOException {
                 chr = buf[pos];
                 if ((chr == Constants.SP) || (chr == Constants.HT)) {
                     pos++;
+                    // If we swallow whitespace, make sure it counts towards the
+                    // limit placed on trailing header size
+                    int newlimit = trailingHeaders.getLimit() -1;
+                    if (trailingHeaders.getEnd() > newlimit) {
+                        throw new IOException("Exceeded maxTrailerSize");
+                    }
+                    trailingHeaders.setLimit(newlimit);
                 } else {
                     space = false;
                 }

@@ -694,13 +694,14 @@ protected boolean statusDropsConnection(int status) {
     /**
      * Initialize standard input and output filters.
      */
-    protected void initializeFilters(int maxTrailerSize) {
+    protected void initializeFilters(int maxTrailerSize, int maxExtensionSize) {
         // Create and add the identity filters.
         getInputBuffer().addFilter(new IdentityInputFilter());
         getOutputBuffer().addFilter(new IdentityOutputFilter());
 
         // Create and add the chunked filters.
-        getInputBuffer().addFilter(new ChunkedInputFilter(maxTrailerSize));
+        getInputBuffer().addFilter(
+                new ChunkedInputFilter(maxTrailerSize, maxExtensionSize));
         getOutputBuffer().addFilter(new ChunkedOutputFilter());
 
         // Create and add the void filters.

@@ -152,6 +152,16 @@ public void setMaxTrailerSize(int maxTrailerSize) {
     }
 
 
+    /**
+     * Maximum size of extension information in chunked encoding
+     */
+    private int maxExtensionSize = 8192;
+    public int getMaxExtensionSize() { return maxExtensionSize; }
+    public void setMaxExtensionSize(int maxExtensionSize) {
+        this.maxExtensionSize = maxExtensionSize;
+    }
+
+
     /**
      * This field indicates if the protocol is treated as if it is secure. This
      * normally means https is being used but can be used to fake https e.g

@@ -118,9 +118,23 @@ public class ChunkedInputFilter implements InputFilter {
      */
     private Request request;
     
+
+    /**
+     * Limit for extension size.
+     */
+    private final long maxExtensionSize;
+
+
+    /**
+     * Size of extensions processed for this request.
+     */
+    private long extensionSize;
+
+
     // ----------------------------------------------------------- Constructors
-    public ChunkedInputFilter(int maxTrailerSize) {
+    public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize) {
         this.trailingHeaders.setLimit(maxTrailerSize);
+        this.maxExtensionSize = maxExtensionSize;
     }
 
     // ---------------------------------------------------- InputBuffer Methods
@@ -250,6 +264,7 @@ public void recycle() {
         endChunk = false;
         needCRLFParse = false;
         trailingHeaders.recycle();
+        extensionSize = 0;
     }
 
 
@@ -299,7 +314,7 @@ protected boolean parseChunkHeader()
         int result = 0;
         boolean eol = false;
         boolean readDigit = false;
-        boolean trailer = false;
+        boolean extension = false;
 
         while (!eol) {
 
@@ -312,8 +327,9 @@ protected boolean parseChunkHeader()
                 parseCRLF(false);
                 eol = true;
             } else if (buf[pos] == Constants.SEMI_COLON) {
-                trailer = true;
-            } else if (!trailer) { 
+                extension = true;
+                extensionSize++;
+            } else if (!extension) {
                 //don't read data after the trailer
                 int charValue = HexUtils.getDec(buf[pos]);
                 if (charValue != -1) {
@@ -325,6 +341,12 @@ protected boolean parseChunkHeader()
                     //in the chunked header
                     return false;
                 }
+            } else {
+                // extension
+                extensionSize++;
+                if (maxExtensionSize > -1 && extensionSize > maxExtensionSize) {
+                    throw new IOException("maxExtensionSize exceeded");
+                }
             }
 
             // Parsing the CRLF increments pos

@@ -58,7 +58,7 @@ protected Log getLog() {
 
 
     public Http11AprProcessor(int headerBufferSize, AprEndpoint endpoint,
-            int maxTrailerSize) {
+            int maxTrailerSize, int maxExtensionSize) {
 
         super(endpoint);
 
@@ -68,7 +68,7 @@ public Http11AprProcessor(int headerBufferSize, AprEndpoint endpoint,
         outputBuffer = new InternalAprOutputBuffer(response, headerBufferSize);
         response.setOutputBuffer(outputBuffer);
 
-        initializeFilters(maxTrailerSize);
+        initializeFilters(maxTrailerSize, maxExtensionSize);
     }
 
 

@@ -294,7 +294,7 @@ protected void longPoll(SocketWrapper<Long> socket,
         protected Http11AprProcessor createProcessor() {
             Http11AprProcessor processor = new Http11AprProcessor(
                     proto.getMaxHttpHeaderSize(), (AprEndpoint)proto.endpoint,
-                    proto.getMaxTrailerSize());
+                    proto.getMaxTrailerSize(), proto.getMaxExtensionSize());
             processor.setAdapter(proto.adapter);
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());

@@ -63,7 +63,7 @@ protected Log getLog() {
 
 
     public Http11NioProcessor(int maxHttpHeaderSize, NioEndpoint endpoint,
-            int maxTrailerSize) {
+            int maxTrailerSize, int maxExtensionSize) {
 
         super(endpoint);
 
@@ -73,7 +73,7 @@ public Http11NioProcessor(int maxHttpHeaderSize, NioEndpoint endpoint,
         outputBuffer = new InternalNioOutputBuffer(response, maxHttpHeaderSize);
         response.setOutputBuffer(outputBuffer);
 
-        initializeFilters(maxTrailerSize);
+        initializeFilters(maxTrailerSize, maxExtensionSize);
     }
 
 

@@ -259,7 +259,7 @@ protected void longPoll(SocketWrapper<NioChannel> socket,
         public Http11NioProcessor createProcessor() {
             Http11NioProcessor processor = new Http11NioProcessor(
                     proto.getMaxHttpHeaderSize(), (NioEndpoint)proto.endpoint,
-                    proto.getMaxTrailerSize());
+                    proto.getMaxTrailerSize(), proto.getMaxExtensionSize());
             processor.setAdapter(proto.adapter);
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());

@@ -50,7 +50,7 @@ protected Log getLog() {
 
 
     public Http11Processor(int headerBufferSize, JIoEndpoint endpoint,
-            int maxTrailerSize) {
+            int maxTrailerSize, int maxExtensionSize) {
 
         super(endpoint);
         
@@ -60,7 +60,7 @@ public Http11Processor(int headerBufferSize, JIoEndpoint endpoint,
         outputBuffer = new InternalOutputBuffer(response, headerBufferSize);
         response.setOutputBuffer(outputBuffer);
 
-        initializeFilters(maxTrailerSize);
+        initializeFilters(maxTrailerSize, maxExtensionSize);
     }
 
 

@@ -164,7 +164,7 @@ protected void longPoll(SocketWrapper<Socket> socket,
         protected Http11Processor createProcessor() {
             Http11Processor processor = new Http11Processor(
                     proto.getMaxHttpHeaderSize(), (JIoEndpoint)proto.endpoint,
-                    proto.getMaxTrailerSize());
+                    proto.getMaxTrailerSize(),proto.getMaxExtensionSize());
             processor.setAdapter(proto.adapter);
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());

@@ -41,6 +41,7 @@
 public class TestChunkedInputFilter extends TomcatBaseTest {
 
     private static final String LF = "\n";
+    private static final int EXT_SIZE_LIMIT = 10;
 
     @Test
     public void testChunkHeaderCRLF() throws Exception {
@@ -202,6 +203,76 @@ public void testTrailingHeadersSizeLimit() throws Exception {
         assertTrue(client.isResponse500());
     }
 
+
+    @Test
+    public void testExtensionSizeLimitOneBelow() throws Exception {
+        doTestExtensionSizeLimit(EXT_SIZE_LIMIT - 1, true);
+    }
+
+
+    @Test
+    public void testExtensionSizeLimitExact() throws Exception {
+        doTestExtensionSizeLimit(EXT_SIZE_LIMIT, true);
+    }
+
+
+    @Test
+    public void testExtensionSizeLimitOneOver() throws Exception {
+        doTestExtensionSizeLimit(EXT_SIZE_LIMIT + 1, false);
+    }
+
+
+    private void doTestExtensionSizeLimit(int len, boolean ok) throws Exception {
+        // Setup Tomcat instance
+        Tomcat tomcat = getTomcatInstance();
+
+        tomcat.getConnector().setProperty(
+                "maxExtensionSize", Integer.toString(EXT_SIZE_LIMIT));
+
+        // Must have a real docBase - just use temp
+        Context ctx =
+            tomcat.addContext("", System.getProperty("java.io.tmpdir"));
+
+        Tomcat.addServlet(ctx, "servlet", new EchoHeaderServlet());
+        ctx.addServletMapping("/", "servlet");
+
+        tomcat.start();
+
+        String extName = ";foo=";
+        StringBuilder extValue = new StringBuilder(len);
+        for (int i = 0; i < (len - extName.length()); i++) {
+            extValue.append("x");
+        }
+
+        String[] request = new String[]{
+            "POST /echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
+            "Host: any" + SimpleHttpClient.CRLF +
+            "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
+            "Content-Type: application/x-www-form-urlencoded" +
+                    SimpleHttpClient.CRLF +
+            "Connection: close" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF +
+            "3" + extName + extValue.toString() + SimpleHttpClient.CRLF +
+            "a=0" + SimpleHttpClient.CRLF +
+            "4" + SimpleHttpClient.CRLF +
+            "&b=1" + SimpleHttpClient.CRLF +
+            "0" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF };
+
+        TrailerClient client =
+                new TrailerClient(tomcat.getConnector().getLocalPort());
+        client.setRequest(request);
+
+        client.connect();
+        client.processRequest();
+
+        if (ok) {
+            assertTrue(client.isResponse200());
+        } else {
+            assertTrue(client.isResponse500());
+        }
+    }
+
     @Test
     public void testNoTrailingHeaders() throws Exception {
         // Setup Tomcat instance

@@ -215,6 +215,10 @@
       <fix>
         Better adherence to RFC2616 for content-length headers. (markt)
       </fix>
+      <fix>
+        Add support for limiting the size of chunk extensions when using chunked
+        encoding. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

@@ -399,6 +399,12 @@
       and connections are not counted.</p>
     </attribute>
 
+    <attribute name="maxExtensionSize" required="false">
+      <p>Limits the total length of chunk extensions in chunked HTTP requests.
+      If the value is <code>-1</code>, no limit will be imposed. If not
+      specified, the default value of <code>8192</code> will be used.</p>
+    </attribute>
+
     <attribute name="maxHttpHeaderSize" required="false">
       <p>The maximum size of the request and response HTTP header, specified
       in bytes. If not specified, this attribute is set to 8192 (8 KB).</p>

@@ -654,13 +654,14 @@ protected boolean statusDropsConnection(int status) {
     /**
      * Initialize standard input and output filters.
      */
-    protected void initializeFilters(int maxTrailerSize) {
+    protected void initializeFilters(int maxTrailerSize, int maxExtensionSize) {
         // Create and add the identity filters.
         getInputBuffer().addFilter(new IdentityInputFilter());
         getOutputBuffer().addFilter(new IdentityOutputFilter());
 
         // Create and add the chunked filters.
-        getInputBuffer().addFilter(new ChunkedInputFilter(maxTrailerSize));
+        getInputBuffer().addFilter(
+                new ChunkedInputFilter(maxTrailerSize, maxExtensionSize));
         getOutputBuffer().addFilter(new ChunkedOutputFilter());
 
         // Create and add the void filters.

@@ -144,6 +144,16 @@ public void setMaxTrailerSize(int maxTrailerSize) {
     }
 
 
+    /**
+     * Maximum size of extension information in chunked encoding
+     */
+    private int maxExtensionSize = 8192;
+    public int getMaxExtensionSize() { return maxExtensionSize; }
+    public void setMaxExtensionSize(int maxExtensionSize) {
+        this.maxExtensionSize = maxExtensionSize;
+    }
+
+
     /**
      * This field indicates if the protocol is treated as if it is secure. This
      * normally means https is being used but can be used to fake https e.g

@@ -118,9 +118,23 @@ public class ChunkedInputFilter implements InputFilter {
      */
     private Request request;
 
+
+    /**
+     * Limit for extension size.
+     */
+    private final long maxExtensionSize;
+
+
+    /**
+     * Size of extensions processed for this request.
+     */
+    private long extensionSize;
+
+
     // ----------------------------------------------------------- Constructors
-    public ChunkedInputFilter(int maxTrailerSize) {
+    public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize) {
         this.trailingHeaders.setLimit(maxTrailerSize);
+        this.maxExtensionSize = maxExtensionSize;
     }
 
     // ---------------------------------------------------- InputBuffer Methods
@@ -250,6 +264,7 @@ public void recycle() {
         endChunk = false;
         needCRLFParse = false;
         trailingHeaders.recycle();
+        extensionSize = 0;
     }
 
 
@@ -299,7 +314,7 @@ protected boolean parseChunkHeader()
         int result = 0;
         boolean eol = false;
         boolean readDigit = false;
-        boolean trailer = false;
+        boolean extension = false;
 
         while (!eol) {
 
@@ -312,8 +327,9 @@ protected boolean parseChunkHeader()
                 parseCRLF(false);
                 eol = true;
             } else if (buf[pos] == Constants.SEMI_COLON) {
-                trailer = true;
-            } else if (!trailer) {
+                extension = true;
+                extensionSize++;
+            } else if (!extension) {
                 //don't read data after the trailer
                 int charValue = HexUtils.getDec(buf[pos]);
                 if (charValue != -1) {
@@ -325,6 +341,12 @@ protected boolean parseChunkHeader()
                     //in the chunked header
                     return false;
                 }
+            } else {
+                // extension
+                extensionSize++;
+                if (maxExtensionSize > -1 && extensionSize > maxExtensionSize) {
+                    throw new IOException("maxExtensionSize exceeded");
+                }
             }
 
             // Parsing the CRLF increments pos

@@ -58,7 +58,7 @@ protected Log getLog() {
 
 
     public Http11AprProcessor(int headerBufferSize, AprEndpoint endpoint,
-            int maxTrailerSize) {
+            int maxTrailerSize, int maxExtensionSize) {
 
         super(endpoint);
 
@@ -68,7 +68,7 @@ public Http11AprProcessor(int headerBufferSize, AprEndpoint endpoint,
         outputBuffer = new InternalAprOutputBuffer(response, headerBufferSize);
         response.setOutputBuffer(outputBuffer);
 
-        initializeFilters(maxTrailerSize);
+        initializeFilters(maxTrailerSize, maxExtensionSize);
     }
 
 

@@ -318,7 +318,7 @@ protected void longPoll(SocketWrapper<Long> socket,
         protected Http11AprProcessor createProcessor() {
             Http11AprProcessor processor = new Http11AprProcessor(
                     proto.getMaxHttpHeaderSize(), (AprEndpoint)proto.endpoint,
-                    proto.getMaxTrailerSize());
+                    proto.getMaxTrailerSize(), proto.getMaxExtensionSize());
             processor.setAdapter(proto.getAdapter());
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());

@@ -63,7 +63,7 @@ protected Log getLog() {
 
 
     public Http11NioProcessor(int maxHttpHeaderSize, NioEndpoint endpoint,
-            int maxTrailerSize) {
+            int maxTrailerSize, int maxExtensionSize) {
 
         super(endpoint);
 
@@ -73,7 +73,7 @@ public Http11NioProcessor(int maxHttpHeaderSize, NioEndpoint endpoint,
         outputBuffer = new InternalNioOutputBuffer(response, maxHttpHeaderSize);
         response.setOutputBuffer(outputBuffer);
 
-        initializeFilters(maxTrailerSize);
+        initializeFilters(maxTrailerSize, maxExtensionSize);
     }
 
 

@@ -281,7 +281,7 @@ protected void longPoll(SocketWrapper<NioChannel> socket,
         public Http11NioProcessor createProcessor() {
             Http11NioProcessor processor = new Http11NioProcessor(
                     proto.getMaxHttpHeaderSize(), (NioEndpoint)proto.endpoint,
-                    proto.getMaxTrailerSize());
+                    proto.getMaxTrailerSize(), proto.getMaxExtensionSize());
             processor.setAdapter(proto.getAdapter());
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());

@@ -50,7 +50,7 @@ protected Log getLog() {
 
 
     public Http11Processor(int headerBufferSize, JIoEndpoint endpoint,
-            int maxTrailerSize) {
+            int maxTrailerSize, int maxExtensionSize) {
 
         super(endpoint);
 
@@ -60,7 +60,7 @@ public Http11Processor(int headerBufferSize, JIoEndpoint endpoint,
         outputBuffer = new InternalOutputBuffer(response, headerBufferSize);
         response.setOutputBuffer(outputBuffer);
 
-        initializeFilters(maxTrailerSize);
+        initializeFilters(maxTrailerSize, maxExtensionSize);
     }
 
 

@@ -186,7 +186,7 @@ protected void longPoll(SocketWrapper<Socket> socket,
         protected Http11Processor createProcessor() {
             Http11Processor processor = new Http11Processor(
                     proto.getMaxHttpHeaderSize(), (JIoEndpoint)proto.endpoint,
-                    proto.getMaxTrailerSize());
+                    proto.getMaxTrailerSize(),proto.getMaxExtensionSize());
             processor.setAdapter(proto.getAdapter());
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());

@@ -41,6 +41,7 @@
 public class TestChunkedInputFilter extends TomcatBaseTest {
 
     private static final String LF = "\n";
+    private static final int EXT_SIZE_LIMIT = 10;
 
     @Test
     public void testChunkHeaderCRLF() throws Exception {
@@ -202,6 +203,76 @@ public void testTrailingHeadersSizeLimit() throws Exception {
         assertTrue(client.isResponse500());
     }
 
+
+    @Test
+    public void testExtensionSizeLimitOneBelow() throws Exception {
+        doTestExtensionSizeLimit(EXT_SIZE_LIMIT - 1, true);
+    }
+
+
+    @Test
+    public void testExtensionSizeLimitExact() throws Exception {
+        doTestExtensionSizeLimit(EXT_SIZE_LIMIT, true);
+    }
+
+
+    @Test
+    public void testExtensionSizeLimitOneOver() throws Exception {
+        doTestExtensionSizeLimit(EXT_SIZE_LIMIT + 1, false);
+    }
+
+
+    private void doTestExtensionSizeLimit(int len, boolean ok) throws Exception {
+        // Setup Tomcat instance
+        Tomcat tomcat = getTomcatInstance();
+
+        tomcat.getConnector().setProperty(
+                "maxExtensionSize", Integer.toString(EXT_SIZE_LIMIT));
+
+        // Must have a real docBase - just use temp
+        Context ctx =
+            tomcat.addContext("", System.getProperty("java.io.tmpdir"));
+
+        Tomcat.addServlet(ctx, "servlet", new EchoHeaderServlet());
+        ctx.addServletMapping("/", "servlet");
+
+        tomcat.start();
+
+        String extName = ";foo=";
+        StringBuilder extValue = new StringBuilder(len);
+        for (int i = 0; i < (len - extName.length()); i++) {
+            extValue.append("x");
+        }
+
+        String[] request = new String[]{
+            "POST /echo-params.jsp HTTP/1.1" + SimpleHttpClient.CRLF +
+            "Host: any" + SimpleHttpClient.CRLF +
+            "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
+            "Content-Type: application/x-www-form-urlencoded" +
+                    SimpleHttpClient.CRLF +
+            "Connection: close" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF +
+            "3" + extName + extValue.toString() + SimpleHttpClient.CRLF +
+            "a=0" + SimpleHttpClient.CRLF +
+            "4" + SimpleHttpClient.CRLF +
+            "&b=1" + SimpleHttpClient.CRLF +
+            "0" + SimpleHttpClient.CRLF +
+            SimpleHttpClient.CRLF };
+
+        TrailerClient client =
+                new TrailerClient(tomcat.getConnector().getLocalPort());
+        client.setRequest(request);
+
+        client.connect();
+        client.processRequest();
+
+        if (ok) {
+            assertTrue(client.isResponse200());
+        } else {
+            assertTrue(client.isResponse500());
+        }
+    }
+
     @Test
     public void testNoTrailingHeaders() throws Exception {
         // Setup Tomcat instance

@@ -402,6 +402,12 @@
       and connections are not counted.</p>
     </attribute>
 
+    <attribute name="maxExtensionSize" required="false">
+      <p>Limits the total length of chunk extensions in chunked HTTP requests.
+      If the value is <code>-1</code>, no limit will be imposed. If not
+      specified, the default value of <code>8192</code> will be used.</p>
+    </attribute>
+
     <attribute name="maxHttpHeaderSize" required="false">
       <p>The maximum size of the request and response HTTP header, specified
       in bytes. If not specified, this attribute is set to 8192 (8 KB).</p>