tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: svn commit: r1187916 - in /tomcat/jk/trunk: native/iis/jk_isapi_plugin.c xdocs/miscellaneous/changelog.xml
Date Tue, 25 Oct 2011 18:03:40 GMT
Rainer,

On 10/23/2011 12:19 PM, rjung@apache.org wrote:
> +/*
> + * Find the first occurrence of path in uri tokenized by "/".
> + * The comparison is done case insensitive.
> + */
> +static const char *find_path_in_uri(const char *uri, const char *path)
> +{
> +    size_t len = strlen(path);
> +    while (uri = strchr(uri, '/')) {

I think "//" in a URL will cause this loop to exit early, possibly
avoiding this security check.

> +        uri++;
> +        if (!strncmp(uri, path, len) &&

strncmp doesn't use case-insensitive compare: will this ever match if
you use "web-inf" (as below)?

> +            (*(uri + len) == '/' ||
> +             strlen(uri) == len)) {
> +            return uri;
> +        }
> +    }
> +    return NULL;
> +}
> +
>  static int uri_is_web_inf(const char *uri)
>  {
> -    if (stristr(uri, "/web-inf")) {
> +    if (find_path_in_uri(uri, "web-inf")) {
>          return JK_TRUE;

This will return JK_TRUE if "web-inf" occurs at any place in the path,
not just at the context level. Is that a problem? I can imagine that a
request for /context/foo/WEB-INF/something might be valid.

-chris


Mime
View raw message