tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Saegesser" <marc.saeges...@apropos.com>
Subject RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java
Date Tue, 17 Jul 2001 03:15:53 GMT
> remm        01/07/16 18:04:29
> 
>   Modified:    catalina/src/share/org/apache/catalina/connector/http
>                         HttpProcessor.java
>   Log:
>   - %25, %2F, %2E and %5C are now forbidden in the request URI. I 
> hope this
>     is not a problem with multi-byte characters.
>   - Medium risk fix : always finish the response. That could lead 
> to connection
>     management problems. That has to be changed since otherwise 
> no HTTP error
>     report would be generated when something bad happened when parsing
>     the request.
>   
<snip>

>   +        // Prevent encoding '%', '/', '.' and '\', which are 
> special reserved
>   +        // characters
>   +        if ((normalized.indexOf("%25") > 0) || 
> (normalized.indexOf("%2F") > 0)
>   +            || (normalized.indexOf("%2E") > 0) 
>   +            || (normalized.indexOf("%5C") > 0)) {
>   +            return null;
>   +        }

I think these comparisons should be >= instead of >.


Mime
View raw message