tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ke...@apache.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers DecodeInterceptor.java
Date Tue, 23 Apr 2002 19:49:40 GMT
keith       02/04/23 12:49:40

  Modified:    src/share/org/apache/tomcat/modules/mappers
                        DecodeInterceptor.java
  Log:
  Our security measure is too agressive; incorrectly mangles
  proxy-style urls.  Check for http/https exceptions when
  removing double slashes.
  
  Revision  Changes    Path
  1.16      +11 -2     jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java
  
  Index: DecodeInterceptor.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- DecodeInterceptor.java	2 Feb 2002 04:48:40 -0000	1.15
  +++ DecodeInterceptor.java	23 Apr 2002 19:49:40 -0000	1.16
  @@ -194,7 +194,10 @@
   	// remove //
   	for( i=start, j=start; i<end-1; i++ ) {
   	    if( buff[i]== '/' && buff[i+1]=='/' ) {
  -		while( buff[i+1]=='/' ) i++;
  +                if (! (i == start + 5 && bc.startsWith(HTTP)) &&
  +                    ! (i == start + 6 && bc.startsWith(HTTPS))) {
  +		    while( buff[i+1]=='/' ) i++;
  +                }
   	    } 
   	    buff[j++]=buff[i];
   	}
  @@ -306,7 +309,10 @@
   	// remove //
   	for( i=start, j=start; i<end-1; i++ ) {
   	    if( buff[i]== '/' && buff[i+1]=='/' ) {
  -		while( buff[i+1]=='/' ) i++;
  +                if (! (i == start + 5 && str.startsWith("http:")) &&
  +                    ! (i == start + 6 && str.startsWith("https:"))) {
  +		    while( buff[i+1]=='/' ) i++;
  +                }
   	    } 
   	    buff[j++]=buff[i];
   	}
  @@ -619,5 +625,8 @@
   	}
   
       }
  +
  +    private static final byte[] HTTP = new byte[] { 'h','t','t','p',':'};
  +    private static final byte[] HTTPS = new byte[] { 'h','t','t','p','s',':'};
   }
   
  
  
  

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message