tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cos...@apache.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers DecodeInterceptor.java
Date Thu, 04 Oct 2001 20:25:05 GMT
costin      01/10/04 13:25:05

  Modified:    src/share/org/apache/tomcat/modules/mappers
                        DecodeInterceptor.java
  Log:
  Do not decode if it was alredy decoded - i.e. if tomcat+web server.
  For Http we need to decode, and also for eventual protocols that send the request
  encoded.
  
  Also, added an option ( defaulted to what we agreed ) to allow saving the 'original'
  uri. Turning it on will bring inconsistencyes between tomcat standalone and
  tomcat+web, and may be open to various security issues ( if the uri is used in any
  check or processing, many encoding tricks could be played - we've been there ).
  But it is the strict implementation of the 2.3 spec ( in the idea that 2.3 is
  backward compat. with 2.2 ).
  
  Revision  Changes    Path
  1.10      +14 -4     jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java
  
  Index: DecodeInterceptor.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- DecodeInterceptor.java	2001/09/29 04:36:35	1.9
  +++ DecodeInterceptor.java	2001/10/04 20:25:05	1.10
  @@ -89,7 +89,7 @@
   
       private boolean normalize=true;
       private boolean safe=true;
  -    
  +    private boolean saveOriginal=false;
       public DecodeInterceptor() {
       }
   
  @@ -118,6 +118,13 @@
   	normalize=b;
       }
   
  +    /** Save the original uri before decoding. Default is false,
  +     *  for consistency among servers.
  +     */
  +    public void setSaveOriginal( boolean b ) {
  +	saveOriginal=b;
  +    }
  +
       /** Decode interceptor can reject unsafe urls. These are
           URL's containing the following escapes:
           %25 = '%'
  @@ -398,7 +405,7 @@
       }
   
       private boolean isSafeURI(MessageBytes pathMB) {
  -        int start = pathMB.indexOf("%");
  +        int start = pathMB.indexOf('%');
           if( start >= 0 ) {
               int end = pathMB.indexOf(";jsessionid=");
               if( end < 0 || start < end ) {
  @@ -515,11 +522,14 @@
   	// Decode request, save the original for the facade
   
   	// Already decoded
  -	if( req.getNote( decodedNote ) != null )
  +	if( req.getNote( decodedNote ) != null ) {
  +	    if( debug> 5 ) log("Already decoded " + req.getNote( decodedNote ));
   	    return 0;
  +	}
   	if (pathMB.indexOf('%') >= 0 || pathMB.indexOf( '+' ) >= 0) {
   	    try {
  -		req.unparsedURI().duplicate( pathMB );
  +		if( saveOriginal )
  +		    req.unparsedURI().duplicate( pathMB );
   		if(debug>1 )
   		    log( "Before " + pathMB.toString());
   		req.getURLDecoder().convert( pathMB );
  
  
  

Mime
View raw message