Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 39350 invoked from network); 9 Feb 2001 21:52:14 -0000 Received: from kyoto.javasoft.com (204.160.241.223) by h31.sny.collab.net with SMTP; 9 Feb 2001 21:52:14 -0000 Received: from localhost (localhost [127.0.0.1]) by kyoto.javasoft.com (8.9.3/8.9.3) with ESMTP id NAA12791 for ; Fri, 9 Feb 2001 13:27:07 -0800 From: cmanolache@yahoo.com Date: Fri, 9 Feb 2001 14:00:50 -0800 (PST) X-Sender: costin@costin.Eng.Sun.COM To: tomcat-dev@jakarta.apache.org Subject: Re: [PATCH]: Bugrat report 723 ( unescaping/unencoding URLs ) was 'Re: 3.2.2 Release?' In-Reply-To: <002d01c092dd$314e59e0$0300a8c0@cx1002407b> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N > Just checking back on the status of this patch, I received some email from > someone who isn't actively on the list but has the same problem as > originally reported in Bugrat report 723. Anyone have any feedback on the > patch or the control characters in URL question I had? I will work on it for 3.3 , there are few more encoding problems and I need a bit of time. I don't think we can do it for M1, but it is on the list and it has high priority. ( I don't know if they are checked into 3.2.x ) Costin > > David Weinrich > > ----- Original Message ----- > From: "David Weinrich" > To: "Tomcat Dev List" > Sent: Friday, February 02, 2001 23:18 > Subject: [PATCH]: Bugrat report 723 ( unescaping/unencoding URLs ) was 'Re: > 3.2.2 Release?' > > Thanks to everyone, that cleared things up quite a bit. Here is the patch > for bugrat report 723 ( tomcat 3.2.x not unescaping escaped urls ). The > patch is extremely short, and implemented a tiny bit different from the one > I sent in for 3.2.x a while ago, the unencoding is done before the path is > checked for other issues/security concerns to prevent unencoded stuff from > causing these after the fact. > Note: I haven't yet mastered the art of Watchdog/internal tomcat tests so > this will need to be tested a bit more thoroughly. So far the following urls > work correctly: > > http://localhost:8080/index%20%23%24.jsp > http://localhost:8080/index%20%23%24.html > > corresponding to the following filenames in the ROOT webapp dir: > > 'index #$.jsp' and > 'index #$.html' > > If an error occurs in unencoding, null is returned which ends up sending a > Not Found(404) message instead of a stack trace. This seemed to be the most > sane way to handle the issue of improperly encoded urls. This is usually the > result of having a value after a % that isn't two hex digits or having an > unencoded % in the url like: > > http://localhost:8080/index%%20%23%24.jsp or > http://localhost:8080/index%zz%23%24.jsp > > One last remaining concern I have: the current implementation of RequestUtil > allows control characters to pass through without raising an exception, I am > assuming this could possibly raise problems, and is fairly undesired. If I > interpret http://www.ietf.org/rfc/rfc2396.txt correctly, control characters > should not be included in URLs. If it is agreeable, I will make a patch to > RequestUtil.URLDecode tomorrow to block characters in the ranges of 00-1f > and 7f-9f to prevent this from being a potential problem. Thanks again! > > > David > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, email: tomcat-dev-help@jakarta.apache.org > -- Costin