tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r681197 - in /tomcat: container/tc5.5.x/catalina/src/share/org/apache/catalina/core/ container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/ container/tc5.5.x/webapps/docs/ current/tc5.5.x/
Date Wed, 30 Jul 2008 20:38:45 GMT
Author: markt
Date: Wed Jul 30 13:38:44 2008
New Revision: 681197

URL: http://svn.apache.org/viewvc?rev=681197&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43079 and https://issues.apache.org/bugzilla/show_bug.cgi?id=43080
Move odd url-pattern warning to StandardContext so a) we catch all patterns and b) it isn't
logged to the wrong webapp
Based on a patch by John Kew

Modified:
    tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java
    tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java
    tomcat/container/tc5.5.x/webapps/docs/changelog.xml
    tomcat/current/tc5.5.x/STATUS.txt

Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java?rev=681197&r1=681196&r2=681197&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java
(original)
+++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java
Wed Jul 30 13:38:44 2008
@@ -4837,20 +4837,38 @@
             getLogger().warn(sm.getString("standardContext.crlfinurl",urlPattern));
         }
         if (urlPattern.startsWith("*.")) {
-            if (urlPattern.indexOf('/') < 0)
+            if (urlPattern.indexOf('/') < 0) {
+                checkUnusualURLPattern(urlPattern);
                 return (true);
-            else
+            } else
                 return (false);
         }
         if ( (urlPattern.startsWith("/")) &&
-                (urlPattern.indexOf("*.") < 0))
+                (urlPattern.indexOf("*.") < 0)) {
+            checkUnusualURLPattern(urlPattern);
             return (true);
-        else
+        } else
             return (false);
 
     }
 
 
+    /**
+     * Check for unusual but valid <code>&lt;url-pattern&gt;</code>s.
+     * See Bugzilla 34805, 43079 & 43080
+     */
+    private void checkUnusualURLPattern(String urlPattern) {
+        if (log.isInfoEnabled()) {
+            if(urlPattern.endsWith("*") && (urlPattern.length() < 2 ||
+                    urlPattern.charAt(urlPattern.length()-2) != '/')) {
+                log.info("Suspicious url pattern: \"" + urlPattern + "\"" +
+                        " in context [" + getName() + "] - see" +
+                        " section SRV.11.2 of the Servlet specification" );
+            }
+        }
+    }
+
+
     // ------------------------------------------------------------- Operations
 
 

Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java?rev=681197&r1=681196&r2=681197&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java
(original)
+++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java
Wed Jul 30 13:38:44 2008
@@ -21,9 +21,6 @@
 
 import org.apache.catalina.util.RequestUtil;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
 import java.io.Serializable;
 
 
@@ -44,9 +41,6 @@
 
 public class SecurityCollection implements Serializable {
 
-    private static Log log = LogFactory.getLog(SecurityCollection.class);
-
-
     // ----------------------------------------------------------- Constructors
 
 
@@ -188,17 +182,6 @@
         if (pattern == null)
             return;
 
-        // Bugzilla 34805: add friendly warning.
-        if(pattern.endsWith("*")) {
-          if (pattern.charAt(pattern.length()-1) != '/') {
-            if (log.isDebugEnabled()) {
-              log.warn("Suspicious url pattern: \"" + pattern + "\"" +
-                       " - see http://java.sun.com/aboutJava/communityprocess/first/jsr053/servlet23_PFD.pdf"
+
-                       "  section 11.2" );
-            }
-          }
-        }
-
         pattern = RequestUtil.URLDecode(pattern);
         String results[] = new String[patterns.length + 1];
         for (int i = 0; i < patterns.length; i++) {

Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=681197&r1=681196&r2=681197&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Wed Jul 30 13:38:44 2008
@@ -54,6 +54,14 @@
         context.xml files. (markt)
       </fix>
       <fix>
+        <bug>43079</bug>: Correct pattern verification for suspicious URLs.
+        Patch provided by John Kew. (markt)
+      </fix>
+      <fix>
+        <bug>43080</bug>: Log suspicious URL pattern warnings to the correct
+        web application. (markt)
+      </fix>
+      <fix>
         <bug>43117</bug>: Setting an empty workDIR could delete all of
         CATALINA_HOME. Patch provided by Takayuki Kaneko. (markt)
       </fix>

Modified: tomcat/current/tc5.5.x/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=681197&r1=681196&r2=681197&view=diff
==============================================================================
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Wed Jul 30 13:38:44 2008
@@ -86,15 +86,6 @@
   +1: markt, yoavs
   -1: 
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43079
-  and https://issues.apache.org/bugzilla/show_bug.cgi?id=43080
-  http://svn.apache.org/viewvc?rev=653195&view=rev
-  Move odd url-pattern warning to StandardContext so a) we catch all patterns
-  and b) it isn't logged to the wrong webapp
-  Based on a patch by John Kew
-  +1: markt, fhanik, yoavs
-  -1: 
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44021
   and https://issues.apache.org/bugzilla/show_bug.cgi?id=43013
   Add support for # to signify multi-level contexts for directories and



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message