Return-Path: 
 <dev-return-90256-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 94770 invoked from network); 19 Jul 2008 11:36:42 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 19 Jul 2008 11:36:42 -0000
Received: (qmail 97623 invoked by uid 500); 19 Jul 2008 11:36:35 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 97564 invoked by uid 500); 19 Jul 2008 11:36:34 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 97553 invoked by uid 500); 19 Jul 2008 11:36:34 -0000
Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org
Received: (qmail 97550 invoked by uid 99); 19 Jul 2008 11:36:34 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Jul 2008 04:36:34 -0700
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Jul 2008 11:35:49 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
	id CB60C23889C2; Sat, 19 Jul 2008 04:35:43 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r678137 - in /tomcat/tc6.0.x/trunk:
 java/org/apache/catalina/connector/CoyoteAdapter.java
 webapps/docs/changelog.xml
Date: Sat, 19 Jul 2008 11:35:43 -0000
To: tomcat-dev@jakarta.apache.org
From: remm@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20080719113543.CB60C23889C2@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: remm
Date: Sat Jul 19 04:35:43 2008
New Revision: 678137

URL: http://svn.apache.org/viewvc?rev=678137&view=rev
Log:
- Additional normalization check.

Modified:
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=678137&r1=678136&r2=678137&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java Sat Jul 19 04:35:43 2008
@@ -404,6 +404,12 @@
             }
             // Character decoding
             convertURI(decodedURI, request);
+            // Check that the URI is still normalized
+            if (!checkNormalize(req.decodedURI())) {
+                res.setStatus(400);
+                res.setMessage("Invalid URI character encoding");
+                return false;
+            }
         } else {
             // The URL is chars or String, and has been sent using an in-memory
             // protocol handler, we have to assume the URL has been properly
@@ -780,6 +786,67 @@
     }
 
 
+    /**
+     * Check that the URI is normalized following character decoding.
+     * <p>
+     * This method checks for "\", 0, "//", "/./" and "/../". This method will
+     * return false if sequences that are supposed to be normalized are still 
+     * present in the URI.
+     * 
+     * @param uriMB URI to be checked (should be chars)
+     */
+    public static boolean checkNormalize(MessageBytes uriMB) {
+
+        CharChunk uriCC = uriMB.getCharChunk();
+        char[] c = uriCC.getChars();
+        int start = uriCC.getStart();
+        int end = uriCC.getEnd();
+
+        int pos = 0;
+
+        // Check for '\' and 0
+        for (pos = start; pos < end; pos++) {
+            if (c[pos] == '\\') {
+                return false;
+            }
+            if (c[pos] == 0) {
+                return false;
+            }
+        }
+
+        // Check for "//"
+        for (pos = start; pos < (end - 1); pos++) {
+            if (c[pos] == '/') {
+                if (c[pos + 1] == '/') {
+                    return false;
+                }
+            }
+        }
+
+        // Check for ending with "/." or "/.."
+        if (((end - start) >= 2) && (c[end - 1] == '.')) {
+            if ((c[end - 2] == '/') 
+                    || ((c[end - 2] == '.') 
+                    && (c[end - 3] == '/'))) {
+                return false;
+            }
+        }
+
+        // Check for "/./"
+        if (uriCC.indexOf("/./", 0, 3, 0) >= 0) {
+            return false;
+        }
+
+        // Check for "/../"
+        if (uriCC.indexOf("/../", 0, 4, 0) >= 0) {
+            return false;
+        }
+
+        return true;
+
+    }
+
+
     // ------------------------------------------------------ Protected Methods
 
 

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=678137&r1=678136&r2=678137&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat Jul 19 04:35:43 2008
@@ -45,6 +45,9 @@
       <update>
         <bug>45285</bug>: Look for annotations in class hierarchy. (markt)
       </update>
+      <fix>
+        Add additional checks for URI normalization. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org