Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 74326 invoked from network); 21 Dec 2009 11:47:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 21 Dec 2009 11:47:11 -0000 Received: (qmail 1322 invoked by uid 500); 21 Dec 2009 11:47:10 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 1247 invoked by uid 500); 21 Dec 2009 11:47:10 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 1236 invoked by uid 99); 21 Dec 2009 11:47:10 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Dec 2009 11:47:10 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=AWL,BAYES_00 X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Dec 2009 11:47:03 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 5D37E2388A5B; Mon, 21 Dec 2009 11:46:43 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r892777 - in /tomcat/tc6.0.x/trunk: ./ java/org/apache/coyote/ajp/ java/org/apache/coyote/http11/ java/org/apache/jk/common/ java/org/apache/tomcat/util/http/ java/org/apache/tomcat/util/http/res/ webapps/docs/ webapps/docs/config/ Date: Mon, 21 Dec 2009 11:46:42 -0000 To: dev@tomcat.apache.org From: markt@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20091221114643.5D37E2388A5B@eris.apache.org> Author: markt Date: Mon Dec 21 11:46:42 2009 New Revision: 892777 URL: http://svn.apache.org/viewvc?rev=892777&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47963 Prevent use of non-RFC2616 compliant custom status messages Added: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_ja.properties (with props) Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/HttpMessages.java tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings.properties tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_es.properties tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_fr.properties tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Dec 21 11:46:42 2009 @@ -329,9 +329,3 @@ http://svn.apache.org/viewvc?rev=892341&view=rev +1: markt, rjung -1: - -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47963 - Prevent use of non-RFC2616 compliant custom status messages - http://people.apache.org/~markt/patches/2009-12-21-bug47963.patch - +1: markt, kkolinko, rjung - -1: Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Mon Dec 21 11:46:42 2009 @@ -953,13 +953,12 @@ // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); String message = null; - if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER && + HttpMessages.isSafeInHttpHeader(response.getMessage())) { message = response.getMessage(); } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); - } else { - message = message.replace('\n', ' ').replace('\r', ' '); } if (message == null) { // mod_jk + httpd 2.x fails with a null status message - bug 45026 Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Mon Dec 21 11:46:42 2009 @@ -958,13 +958,12 @@ // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); String message = null; - if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER && + HttpMessages.isSafeInHttpHeader(response.getMessage())) { message = response.getMessage(); } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); - } else { - message = message.replace('\n', ' ').replace('\r', ' '); } if (message == null) { // mod_jk + httpd 2.x fails with a null status message - bug 45026 Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java Mon Dec 21 11:46:42 2009 @@ -422,13 +422,14 @@ // Write message String message = null; - if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER && + HttpMessages.isSafeInHttpHeader(response.getMessage())) { message = response.getMessage(); } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message.replace('\n', ' ').replace('\r', ' ')); + write(message); } // End the response status line Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java Mon Dec 21 11:46:42 2009 @@ -480,13 +480,14 @@ // Write message String message = null; - if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER && + HttpMessages.isSafeInHttpHeader(response.getMessage())) { message = response.getMessage(); } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message.replace('\n', ' ').replace('\r', ' ')); + write(message); } // End the response status line Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java Mon Dec 21 11:46:42 2009 @@ -439,13 +439,14 @@ // Write message String message = null; - if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER && + HttpMessages.isSafeInHttpHeader(response.getMessage())) { message = response.getMessage(); } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message.replace('\n', ' ').replace('\r', ' ')); + write(message); } // End the response status line Modified: tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/jk/common/JkInputStream.java Mon Dec 21 11:46:42 2009 @@ -280,13 +280,12 @@ outputMsg.appendInt( res.getStatus() ); String message = null; - if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER && + HttpMessages.isSafeInHttpHeader(res.getMessage())) { message = res.getMessage(); } - if( message==null ){ + if (message == null) { message= HttpMessages.getMessage(res.getStatus()); - } else { - message = message.replace('\n', ' ').replace('\r', ' '); } if (message == null) { // mod_jk + httpd 2.x fails with a null status message - bug 45026 Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/HttpMessages.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/HttpMessages.java?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/HttpMessages.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/HttpMessages.java Mon Dec 21 11:46:42 2009 @@ -104,4 +104,35 @@ return (result.toString()); } + /** + * Is the provided message safe to use in an HTTP header. Safe messages must + * meet the requirements of RFC2616 - i.e. must consist only of TEXT. + * + * @param msg The message to test + * @return true if the message is safe to use in an HTTP + * header else false + */ + public static boolean isSafeInHttpHeader(String msg) { + // Nulls are fine. It is up to the calling code to address any NPE + // concerns + if (msg == null) { + return true; + } + + // Reason-Phrase is defined as * + // TEXT is defined as any OCTET except CTLs, but including LWS + // OCTET is defined as an 8-bit sequence of data + // CTL is defined as octets 0-31 and 127 + // LWS, if we exclude CR LF pairs, is defined as SP or HT (32, 9) + final int len = msg.length(); + for (int i = 0; i < len; i++) { + char c = msg.charAt(i); + if (32 <= c && c <= 126 || 128 <= c && c <= 255 || c == 9) { + continue; + } + return false; + } + + return true; + } } Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings.properties?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings.properties (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings.properties Mon Dec 21 11:46:42 2009 @@ -13,7 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -# HttpMessages +# HttpMessages. The values in this file will be used in HTTP headers and as such +# may only contain TEXT as defined by RFC 2616 sc.100=Continue sc.101=Switching Protocols sc.200=OK Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_es.properties URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_es.properties?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_es.properties (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_es.properties Mon Dec 21 11:46:42 2009 @@ -13,7 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -# HttpMessages +# HttpMessages. The values in this file will be used in HTTP headers and as such +# may only contain TEXT as defined by RFC 2616 sc.100=Continuar sc.101=Cambiando Protocolos sc.200=OK Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_fr.properties URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_fr.properties?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_fr.properties (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_fr.properties Mon Dec 21 11:46:42 2009 @@ -13,6 +13,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +# HttpMessages. The values in this file will be used in HTTP headers and as such +# may only contain TEXT as defined by RFC 2616 sc.100=Continuer sc.101=Changement de Protocols sc.200=OK Added: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_ja.properties URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_ja.properties?rev=892777&view=auto ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_ja.properties (added) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_ja.properties Mon Dec 21 11:46:42 2009 @@ -0,0 +1,63 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# HttpMessages. The values in this file will be used in HTTP headers and as such +# may only contain TEXT as defined by RFC 2616. Since Japanese language messages +# do not meet this requirement, English text is used. +sc.100=Continue +sc.101=Switching Protocols +sc.200=OK +sc.201=Created +sc.202=Accepted +sc.203=Non-Authoritative Information +sc.204=No Content +sc.205=Reset Content +sc.206=Partial Content +sc.207=Multi-Status +sc.300=Multiple Choices +sc.301=Moved Permanently +sc.302=Moved Temporarily +sc.303=See Other +sc.304=Not Modified +sc.305=Use Proxy +sc.307=Temporary Redirect +sc.400=Bad Request +sc.401=Unauthorized +sc.402=Payment Required +sc.403=Forbidden +sc.404=Not Found +sc.405=Method Not Allowed +sc.406=Not Acceptable +sc.407=Proxy Authentication Required +sc.408=Request Timeout +sc.409=Conflict +sc.410=Gone +sc.411=Length Required +sc.412=Precondition Failed +sc.413=Request Entity Too Large +sc.414=Request-URI Too Long +sc.415=Unsupported Media Type +sc.416=Requested Range Not Satisfiable +sc.417=Expectation Failed +sc.422=Unprocessable Entity +sc.423=Locked +sc.424=Failed Dependency +sc.500=Internal Server Error +sc.501=Not Implemented +sc.502=Bad Gateway +sc.503=Service Unavailable +sc.504=Gateway Timeout +sc.505=HTTP Version Not Supported +sc.507=Insufficient Storage Propchange: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_ja.properties ------------------------------------------------------------------------------ svn:eol-style = native Propchange: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/res/LocalStrings_ja.properties ------------------------------------------------------------------------------ svn:keywords = Date Author Id Revision Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Dec 21 11:46:42 2009 @@ -391,6 +391,10 @@ Greg Vanore. (markt) + 47963: Ensure that any HTTP status messages are compliant + with RFC2616. (markt/kkolinko) + + 47987: Limit size of not found resources cache. (markt) Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml?rev=892777&r1=892776&r2=892777&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Mon Dec 21 11:46:42 2009 @@ -191,11 +191,11 @@

If this is - true custom HTTP status messages will be used within HTTP - headers. Users must ensure that any such message is ISO-8859-1 encoded, - particularly if user provided input is included in the message, to prevent - a possible XSS vulnerability. If not specified the default value of - false will be used.

+ true, custom HTTP status messages will be used within HTTP + headers. If a custom message is specified that is not valid for use in an + HTTP header (as defined by RFC2616) then the custom message will be + ignored and the default message used. If not specified, the default value + of false will be used.

 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org