Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 6843 invoked from network); 3 Jul 2008 22:04:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Jul 2008 22:04:03 -0000 Received: (qmail 80722 invoked by uid 500); 3 Jul 2008 22:03:32 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 80669 invoked by uid 500); 3 Jul 2008 22:03:32 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 80654 invoked by uid 500); 3 Jul 2008 22:03:31 -0000 Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org Received: (qmail 80648 invoked by uid 99); 3 Jul 2008 22:03:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Jul 2008 15:03:31 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Jul 2008 22:02:49 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id EC44F23889BB; Thu, 3 Jul 2008 15:03:09 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r673834 - in /tomcat/tc6.0.x/trunk: ./ java/org/apache/catalina/core/ java/org/apache/coyote/ java/org/apache/coyote/ajp/ java/org/apache/coyote/http11/ java/org/apache/jk/common/ webapps/docs/config/ Date: Thu, 03 Jul 2008 22:03:09 -0000 To: tomcat-dev@jakarta.apache.org From: markt@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20080703220309.EC44F23889BB@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: markt Date: Thu Jul 3 15:03:08 2008 New Revision: 673834 URL: http://svn.apache.org/viewvc?rev=673834&view=rev Log: Make filtering of \r and \n in headers consistent for all connectors. Make handling of 404s consistent across components. Provide option to include custom status message in headers. SRV.5.3 suggests custom messages are intended for the body of the response, not the status line. Modified: tomcat/tc6.0.x/trunk/ (props changed) tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Propchange: tomcat/tc6.0.x/trunk/ ------------------------------------------------------------------------------ svn:mergeinfo = /tomcat/trunk:673796 Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContextValve.java Thu Jul 3 15:03:08 2008 @@ -120,8 +120,7 @@ || (requestPathMB.equalsIgnoreCase("/META-INF")) || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0)) || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } @@ -148,15 +147,13 @@ // Select the Wrapper to be used for this Request Wrapper wrapper = request.getWrapper(); if (wrapper == null) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } else if (wrapper.isUnavailable()) { // May be as a result of a reload, try and find the new wrapper wrapper = (Wrapper) container.findChild(wrapper.getName()); if (wrapper == null) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } } @@ -305,13 +302,12 @@ * application, but currently that code runs at the wrapper level rather * than the context level. * - * @param requestURI The request URI for the requested resource * @param response The response we are creating */ - private void notFound(String requestURI, HttpServletResponse response) { + private void notFound(HttpServletResponse response) { try { - response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI); + response.sendError(HttpServletResponse.SC_NOT_FOUND); } catch (IllegalStateException e) { ; } catch (IOException e) { Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/Constants.java Thu Jul 3 15:03:08 2008 @@ -60,5 +60,12 @@ (System.getSecurityManager() != null); + /** + * If true, custom HTTP status messages will be used in headers. + */ + public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER = + Boolean.valueOf(System.getProperty( + "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER", + "false")).booleanValue(); } Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Thu Jul 3 15:03:08 2008 @@ -917,7 +917,10 @@ // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); } else { Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Thu Jul 3 15:03:08 2008 @@ -923,7 +923,10 @@ // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); } else { Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java Thu Jul 3 15:03:08 2008 @@ -421,11 +421,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java Thu Jul 3 15:03:08 2008 @@ -479,11 +479,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java Thu Jul 3 15:03:08 2008 @@ -438,11 +438,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { - write(getMessage(status)); + write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line Modified: tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java Thu Jul 3 15:03:08 2008 @@ -272,7 +272,10 @@ outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS); outputMsg.appendInt( res.getStatus() ); - String message=res.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = res.getMessage(); + } if( message==null ){ message= HttpMessages.getMessage(res.getStatus()); } else { Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml?rev=673834&r1=673833&r2=673834&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Thu Jul 3 15:03:08 2008 @@ -189,6 +189,15 @@ be used.

+

If this is + true custom HTTP status messages will be used within HTTP + headers. Users must ensure that any such message is ISO-8859-1 encoded, + particularly if user provided input is included in the message, to prevent + a possible XSS vulnerability. If not specified the default value of + false will be used.

+ + --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org