Return-Path:
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 6843 invoked from network); 3 Jul 2008 22:04:03 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
by minotaur.apache.org with SMTP; 3 Jul 2008 22:04:03 -0000
Received: (qmail 80722 invoked by uid 500); 3 Jul 2008 22:03:32 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 80669 invoked by uid 500); 3 Jul 2008 22:03:32 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: "Tomcat Developers List"
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 80654 invoked by uid 500); 3 Jul 2008 22:03:31 -0000
Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org
Received: (qmail 80648 invoked by uid 99); 3 Jul 2008 22:03:31 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Jul 2008 15:03:31 -0700
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Jul 2008 22:02:49 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
id EC44F23889BB; Thu, 3 Jul 2008 15:03:09 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r673834 - in /tomcat/tc6.0.x/trunk: ./
java/org/apache/catalina/core/ java/org/apache/coyote/
java/org/apache/coyote/ajp/ java/org/apache/coyote/http11/
java/org/apache/jk/common/ webapps/docs/config/
Date: Thu, 03 Jul 2008 22:03:09 -0000
To: tomcat-dev@jakarta.apache.org
From: markt@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20080703220309.EC44F23889BB@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: markt
Date: Thu Jul 3 15:03:08 2008
New Revision: 673834
URL: http://svn.apache.org/viewvc?rev=673834&view=rev
Log:
Make filtering of \r and \n in headers consistent for all connectors.
Make handling of 404s consistent across components.
Provide option to include custom status message in headers. SRV.5.3 suggests custom messages are intended for the body of the response, not the status line.
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java
tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java
tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
svn:mergeinfo = /tomcat/trunk:673796
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java Thu Jul 3 15:03:08 2008
@@ -120,8 +120,7 @@
|| (requestPathMB.equalsIgnoreCase("/META-INF"))
|| (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
|| (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
}
@@ -148,15 +147,13 @@
// Select the Wrapper to be used for this Request
Wrapper wrapper = request.getWrapper();
if (wrapper == null) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
} else if (wrapper.isUnavailable()) {
// May be as a result of a reload, try and find the new wrapper
wrapper = (Wrapper) container.findChild(wrapper.getName());
if (wrapper == null) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
}
}
@@ -305,13 +302,12 @@
* application, but currently that code runs at the wrapper level rather
* than the context level.
*
- * @param requestURI The request URI for the requested resource
* @param response The response we are creating
*/
- private void notFound(String requestURI, HttpServletResponse response) {
+ private void notFound(HttpServletResponse response) {
try {
- response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI);
+ response.sendError(HttpServletResponse.SC_NOT_FOUND);
} catch (IllegalStateException e) {
;
} catch (IOException e) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java Thu Jul 3 15:03:08 2008
@@ -60,5 +60,12 @@
(System.getSecurityManager() != null);
+ /**
+ * If true, custom HTTP status messages will be used in headers.
+ */
+ public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+ Boolean.valueOf(System.getProperty(
+ "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER",
+ "false")).booleanValue();
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Thu Jul 3 15:03:08 2008
@@ -917,7 +917,10 @@
// HTTP header contents
responseHeaderMessage.appendInt(response.getStatus());
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null){
message = HttpMessages.getMessage(response.getStatus());
} else {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Thu Jul 3 15:03:08 2008
@@ -923,7 +923,10 @@
// HTTP header contents
responseHeaderMessage.appendInt(response.getStatus());
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null){
message = HttpMessages.getMessage(response.getStatus());
} else {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java Thu Jul 3 15:03:08 2008
@@ -421,11 +421,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
write(HttpMessages.getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java Thu Jul 3 15:03:08 2008
@@ -479,11 +479,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
write(HttpMessages.getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java Thu Jul 3 15:03:08 2008
@@ -438,11 +438,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
- write(getMessage(status));
+ write(HttpMessages.getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java Thu Jul 3 15:03:08 2008
@@ -272,7 +272,10 @@
outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS);
outputMsg.appendInt( res.getStatus() );
- String message=res.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = res.getMessage();
+ }
if( message==null ){
message= HttpMessages.getMessage(res.getStatus());
} else {
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml?rev=673834&r1=673833&r2=673834&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Thu Jul 3 15:03:08 2008
@@ -189,6 +189,15 @@
be used.
+ If this is
+ true
custom HTTP status messages will be used within HTTP
+ headers. Users must ensure that any such message is ISO-8859-1 encoded,
+ particularly if user provided input is included in the message, to prevent
+ a possible XSS vulnerability. If not specified the default value of
+ false
will be used.
+
+
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org