From 85d0925b1196792934cfa820c67ecf6fffe57109 Mon Sep 17 00:00:00 2001
From: Tomas Hofman <thofman@redhat.com>
Date: Thu, 16 Nov 2023 15:11:29 +0100
Subject: [PATCH] [UNDERTOW-2334] CVE-2024-6162 AJP Parser: Do not share the
 decodeBuffer StringBuilder instance between requests

Signed-off-by: Flavia Rainone <frainone@redhat.com>
---
 .../io/undertow/server/protocol/ajp/AjpRequestParser.java    | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java
index f6e0cc3fcd..527fbfd0a1 100644
--- a/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java
+++ b/core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java
@@ -77,7 +77,6 @@ public class AjpRequestParser {
     private final boolean slashDecodingFlag;
     private final int maxParameters;
     private final int maxHeaders;
-    private StringBuilder decodeBuffer;
     private final boolean allowUnescapedCharactersInUrl;
     private final Pattern allowedRequestAttributesPattern;
 
@@ -509,9 +508,7 @@ public void parse(final ByteBuffer buf, final AjpRequestParseState state, final
     private String decode(String url, final boolean containsUrlCharacters) throws UnsupportedEncodingException {
         if (doDecode && containsUrlCharacters) {
             try {
-                if(decodeBuffer == null) {
-                    decodeBuffer = new StringBuilder();
-                }
+                final StringBuilder decodeBuffer = new StringBuilder();
                 return URLUtils.decode(url, this.encoding, slashDecodingFlag, false, decodeBuffer);
             } catch (Exception e) {
                 throw UndertowMessages.MESSAGES.failedToDecodeURL(url, encoding, e);