tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lenny Karpel <>
Subject Problems with CoyoteAdapter URI validation 'hack'
Date Tue, 14 May 2002 20:35:46 GMT
Does anyone know anything about the following code in: 


      // Additional URI normalization and validation is needed for security 
      // reasons on Tomcat 4.0.x
        if (connector.getUseURIValidationHack()) {
            String uri = validate(request.getRequestURI());
            if (uri == null) {
                res.setMessage("Invalid URI");
                throw new IOException("Invalid URI");
            } else {
                // Redoing the URI decoding
                req.getURLDecoder().convert(req.decodedURI(), true);

Here are the issues ..

1. There does not seem to be a way to control the value of
getUseURIValidationHack from any config file.

2. The code in validate() seems to perform checks that only a 'file servlet'
should be checking. Any generic servlet should be able to perform it's own
checking of the URI. In specific the validate() routine is marking URI's
with a %2f in them as invalid. I do not think that .. in general .. this is
true. Again .. it should be up to each servlet to make that decision. This
might sound familiar .. but JRun, WebLogic, ServletExec all make these type
of decisions in thier file servlet .. as to not affact what these escaped
special characters might mean to some other servlet. It is not clear to me
that the validate() call should 'normalize' any of the escaped characters ..
let the servlets do it.

Thanks in advance for any help ..

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message