Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 21488 invoked by uid 500); 17 Jul 2001 03:15:50 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: tomcat-dev@jakarta.apache.org Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 21478 invoked from network); 17 Jul 2001 03:15:50 -0000 From: "Marc Saegesser" To: , Subject: RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java Date: Mon, 16 Jul 2001 22:15:53 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <20010717010429.65214.qmail@icarus.apache.org> X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N > remm 01/07/16 18:04:29 > > Modified: catalina/src/share/org/apache/catalina/connector/http > HttpProcessor.java > Log: > - %25, %2F, %2E and %5C are now forbidden in the request URI. I > hope this > is not a problem with multi-byte characters. > - Medium risk fix : always finish the response. That could lead > to connection > management problems. That has to be changed since otherwise > no HTTP error > report would be generated when something bad happened when parsing > the request. > > + // Prevent encoding '%', '/', '.' and '\', which are > special reserved > + // characters > + if ((normalized.indexOf("%25") > 0) || > (normalized.indexOf("%2F") > 0) > + || (normalized.indexOf("%2E") > 0) > + || (normalized.indexOf("%5C") > 0)) { > + return null; > + } I think these comparisons should be >= instead of >.