Return-Path: 
 <tomcat-dev-return-11103-qmlist-jakarta-archive-tomcat-dev=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org
Received: (qmail 48954 invoked from network); 14 May 2002 20:36:09 -0000
Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131)
  by daedalus.apache.org with SMTP; 14 May 2002 20:36:09 -0000
Received: (qmail 22541 invoked by uid 97); 14 May 2002 20:35:44 -0000
Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org
Received: (qmail 22411 invoked by uid 97); 14 May 2002 20:35:44 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-dev-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-dev-help@jakarta.apache.org>
List-Post: <mailto:tomcat-dev@jakarta.apache.org>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 22345 invoked by uid 98); 14 May 2002 20:35:43 -0000
X-Antivirus: nagoya (v4198 created Apr 24 2002)
Message-ID: <B4E702BA3743D511BFF200508BB08C1620552D@elox.hq.eloquent.com>
From: Lenny Karpel <lkarpel@Eloquent.com>
To: "'tomcat-dev@jakarta.apache.org'" <tomcat-dev@jakarta.apache.org>
Subject: Problems with CoyoteAdapter URI validation 'hack'
Date: Tue, 14 May 2002 13:35:46 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C1FB86.ECFCE270"
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

------_=_NextPart_001_01C1FB86.ECFCE270
Content-Type: text/plain

Does anyone know anything about the following code in: 

org.apache.coyote.tomcat4.CoyeoteConnector

      // Additional URI normalization and validation is needed for security 
      // reasons on Tomcat 4.0.x
        if (connector.getUseURIValidationHack()) {
            String uri = validate(request.getRequestURI());
            if (uri == null) {
                res.setStatus(400);
                res.setMessage("Invalid URI");
                throw new IOException("Invalid URI");
            } else {
                req.requestURI().setString(uri);
                // Redoing the URI decoding
                req.decodedURI().duplicate(req.requestURI());
                req.getURLDecoder().convert(req.decodedURI(), true);
            }
        }


Here are the issues ..

1. There does not seem to be a way to control the value of
getUseURIValidationHack from any config file.

2. The code in validate() seems to perform checks that only a 'file servlet'
should be checking. Any generic servlet should be able to perform it's own
checking of the URI. In specific the validate() routine is marking URI's
with a %2f in them as invalid. I do not think that .. in general .. this is
true. Again .. it should be up to each servlet to make that decision. This
might sound familiar .. but JRun, WebLogic, ServletExec all make these type
of decisions in thier file servlet .. as to not affact what these escaped
special characters might mean to some other servlet. It is not clear to me
that the validate() call should 'normalize' any of the escaped characters ..
let the servlets do it.

Thanks in advance for any help ..

------_=_NextPart_001_01C1FB86.ECFCE270--