tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1792461 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/catalina/manager/ java/org/apache/catalina/ssi/ java/org/apache/catalina/util/ java/org/apache/catalina/valves/rewrite/ webapps/docs/
Date Mon, 24 Apr 2017 12:09:00 GMT
Author: markt
Date: Mon Apr 24 12:09:00 2017
New Revision: 1792461

URL: http://svn.apache.org/viewvc?rev=1792461&view=rev
Log:
Review those places where Tomcat re-encodes a URI or URI component and ensure that that correct
encoding (path differs from query string) is applied and that the encoding is applied consistently.

Modified:
    tomcat/tc8.5.x/trunk/   (props changed)
    tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
    tomcat/tc8.5.x/trunk/java/org/apache/catalina/ssi/SSIMediator.java
    tomcat/tc8.5.x/trunk/java/org/apache/catalina/util/URLEncoder.java
    tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/RewriteValve.java
    tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/Substitution.java
    tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Apr 24 12:09:00 2017
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501
 ,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745535,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747
 536,1747924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750774,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753078,1753080,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208,1755214,1755224,1755227,1755230,1755629,1755646-1755647,1755650,1755653,1755675,1755680,1755683,1755693,1755717,1755731-1755737,1755812,1755828,1755884,1755890,1755918-1755919,1755942,1755958,1755960,1755970,1755993,1756013,1756019,1756039,1756056,1756083-1756114,1756175,1756288-1756289,1756408-1
 756410,1756778,1756798,1756878,1756898,1756939,1757123-1757124,1757126,1757128,1757132-1757133,1757136,1757145,1757167-1757168,1757175,1757180,1757182,1757195,1757271,1757278,1757347,1757353-1757354,1757363,1757374,1757399,1757406,1757408,1757485,1757495,1757499,1757527,1757578,1757684,1757722,1757727,1757790,1757799,1757813,1757853,1757883,1757903,1757976,1757997,1758000,1758058,1758072-1758075,1758078-1758079,1758223,1758257,1758261,1758276,1758292,1758369,1758378-1758383,1758421,1758423,1758425-1758427,1758430,1758443,1758448,1758459,1758483,1758486-1758487,1758499,1758525,1758556,1758580,1758582,1758584,1758588,1758842,1759019,1759212,1759224,1759227,1759252,1759274,1759513-1759516,1759611,1759757,1759785-1759790,1760005,1760022,1760109-1760110,1760135,1760200-1760201,1760227,1760300,1760397,1760446,1760454,1760640,1760648,1761057,1761422,1761491,1761498,1761500-1761501,1761550,1761553,1761572,1761574,1761625-1761626,1761628,1761682,1761740,1761752,1762051-1762053,1762123,176216
 8,1762172,1762182,1762201-1762202,1762204,1762208,1762288,1762296,1762324,1762348,1762353,1762362,1762374,1762492,1762503,1762505,1762541,1762608,1762710,1762753,1762766,1762769,1762944,1762947,1762953,1763167,1763179,1763232,1763259,1763271-1763272,1763276-1763277,1763319-1763320,1763370,1763372,1763375,1763377,1763393,1763412,1763430,1763450,1763462,1763505,1763511-1763512,1763516,1763518,1763520,1763529,1763559,1763565,1763568,1763574,1763619,1763634-1763635,1763718,1763786,1763798-1763799,1763810,1763813,1763815,1763819,1763831,1764083,1764425,1764646,1764648-1764649,1764659,1764663,1764682,1764862,1764866-1764867,1764870,1764897,1765133,1765299,1765358,1765439,1765447,1765495,1765502,1765569-1765571,1765579,1765582,1765589-1765590,1765794,1765801,1765813,1765815,1766276,1766514,1766533,1766535,1766664,1766675,1766698,1766700,1766822,1766834,1766840,1767047,1767328,1767362,1767368,1767429,1767471,1767505,1767641-1767644,1767903,1767945-1767946,1768123,1768283,1768520,1768569,176
 8651,1768762,1768922,1769191,1769263,1769630,1769833,1769975,1770047,1770140,1770180,1770258,1770389,1770656,1770666,1770718,1770762,1770952,1770954,1770956,1770961,1771087,1771126,1771139,1771143,1771149,1771156,1771266,1771316,1771386,1771611,1771613,1771711,1771718,1771723-1771724,1771730,1771743,1771752,1771853,1771963,1772170,1772174,1772223,1772229,1772318-1772319,1772353,1772355,1772554,1772603-1772609,1772849,1772865,1772870,1772872,1772875-1772876,1772881,1772886,1772947,1773306,1773344,1773418,1773756,1773813-1773814,1774052,1774102,1774131,1774161,1774164,1774248,1774253,1774257,1774259,1774262,1774267,1774271,1774303,1774340,1774406,1774412,1774426,1774433,1774522-1774523,1774526,1774528-1774529,1774531,1774732-1774736,1774738-1774739,1774741-1774742,1774749,1774755,1774789,1774858,1774867,1775596,1775985-1775986,1776540,1776937,1776954,1777011,1777173,1777189,1777211,1777524,1777546,1777605,1777619,1777647,1777721-1777722,1777967,1778061,1778138-1778139,1778141-1778150,
 1778154,1778275-1778276,1778295,1778342,1778348,1778404,1778424,1778426,1778582,1778600,1779641,1779654,1779708,1779718,1779897,1779899,1780109,1780120,1780189,1780196,1780488,1780514-1780516,1780601,1780606,1780609-1780610,1780652,1780991,1780995-1780996,1781174,1781569,1781975,1781986,1782116,1782383-1782384,1782566,1782572,1782775,1782779,1782814,1782857,1782868,1782934,1782946-1782947,1782956,1783144-1783147,1783155,1783408,1784182,1784565,1784583,1784657,1784669,1784712,1784723,1784751,1784767,1784806,1784818,1784911,1784926,1784956,1784963,1785032,1785037,1785245,1785271,1785310,1785317,1785643,1785667,1785762,1785774,1785823,1785935,1786051,1786070,1786123-1786124,1786127,1786129,1786341,1786378,1786844,1787200,1787250,1787405,1787701,1787703,1787938,1787959,1787973,1788223-1788224,1788228,1788232,1788241-1788242,1788248,1788323,1788328,1788455,1788460,1788473,1788543-1788544,1788548,1788550,1788554,1788558,1788560,1788567,1788569,1788572,1788647,1788732,1788741,1788747,17887
 53,1788764,1788771,1788834,1788841,1788852,1788860,1788883,1788890,1789051,1789400,1789415,1789442-1789443,1789447,1789453,1789456,1789458,1789461-1789463,1789465-1789467,1789470,1789472,1789474,1789476,1789479-1789480,1789733,1789735,1789744-1789745,1789937,1789984,1790119,1790180,1790183,1790376,1790614,1790983,1790991,1791050,1791090,1791095-1791096,1791099,1791101-1791103,1791124,1791129,1791134,1791137,1791298,1791527,1791557,1791970,1792033,1792038,1792055,1792093,1792140
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501
 ,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745535,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747404,1747506,1747
 536,1747924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750774,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753078,1753080,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208,1755214,1755224,1755227,1755230,1755629,1755646-1755647,1755650,1755653,1755675,1755680,1755683,1755693,1755717,1755731-1755737,1755812,1755828,1755884,1755890,1755918-1755919,1755942,1755958,1755960,1755970,1755993,1756013,1756019,1756039,1756056,1756083-1756114,1756175,1756288-1756289,1756408-1
 756410,1756778,1756798,1756878,1756898,1756939,1757123-1757124,1757126,1757128,1757132-1757133,1757136,1757145,1757167-1757168,1757175,1757180,1757182,1757195,1757271,1757278,1757347,1757353-1757354,1757363,1757374,1757399,1757406,1757408,1757485,1757495,1757499,1757527,1757578,1757684,1757722,1757727,1757790,1757799,1757813,1757853,1757883,1757903,1757976,1757997,1758000,1758058,1758072-1758075,1758078-1758079,1758223,1758257,1758261,1758276,1758292,1758369,1758378-1758383,1758421,1758423,1758425-1758427,1758430,1758443,1758448,1758459,1758483,1758486-1758487,1758499,1758525,1758556,1758580,1758582,1758584,1758588,1758842,1759019,1759212,1759224,1759227,1759252,1759274,1759513-1759516,1759611,1759757,1759785-1759790,1760005,1760022,1760109-1760110,1760135,1760200-1760201,1760227,1760300,1760397,1760446,1760454,1760640,1760648,1761057,1761422,1761491,1761498,1761500-1761501,1761550,1761553,1761572,1761574,1761625-1761626,1761628,1761682,1761740,1761752,1762051-1762053,1762123,176216
 8,1762172,1762182,1762201-1762202,1762204,1762208,1762288,1762296,1762324,1762348,1762353,1762362,1762374,1762492,1762503,1762505,1762541,1762608,1762710,1762753,1762766,1762769,1762944,1762947,1762953,1763167,1763179,1763232,1763259,1763271-1763272,1763276-1763277,1763319-1763320,1763370,1763372,1763375,1763377,1763393,1763412,1763430,1763450,1763462,1763505,1763511-1763512,1763516,1763518,1763520,1763529,1763559,1763565,1763568,1763574,1763619,1763634-1763635,1763718,1763786,1763798-1763799,1763810,1763813,1763815,1763819,1763831,1764083,1764425,1764646,1764648-1764649,1764659,1764663,1764682,1764862,1764866-1764867,1764870,1764897,1765133,1765299,1765358,1765439,1765447,1765495,1765502,1765569-1765571,1765579,1765582,1765589-1765590,1765794,1765801,1765813,1765815,1766276,1766514,1766533,1766535,1766664,1766675,1766698,1766700,1766822,1766834,1766840,1767047,1767328,1767362,1767368,1767429,1767471,1767505,1767641-1767644,1767903,1767945-1767946,1768123,1768283,1768520,1768569,176
 8651,1768762,1768922,1769191,1769263,1769630,1769833,1769975,1770047,1770140,1770180,1770258,1770389,1770656,1770666,1770718,1770762,1770952,1770954,1770956,1770961,1771087,1771126,1771139,1771143,1771149,1771156,1771266,1771316,1771386,1771611,1771613,1771711,1771718,1771723-1771724,1771730,1771743,1771752,1771853,1771963,1772170,1772174,1772223,1772229,1772318-1772319,1772353,1772355,1772554,1772603-1772609,1772849,1772865,1772870,1772872,1772875-1772876,1772881,1772886,1772947,1773306,1773344,1773418,1773756,1773813-1773814,1774052,1774102,1774131,1774161,1774164,1774248,1774253,1774257,1774259,1774262,1774267,1774271,1774303,1774340,1774406,1774412,1774426,1774433,1774522-1774523,1774526,1774528-1774529,1774531,1774732-1774736,1774738-1774739,1774741-1774742,1774749,1774755,1774789,1774858,1774867,1775596,1775985-1775986,1776540,1776937,1776954,1777011,1777173,1777189,1777211,1777524,1777546,1777605,1777619,1777647,1777721-1777722,1777967,1778061,1778138-1778139,1778141-1778150,
 1778154,1778275-1778276,1778295,1778342,1778348,1778404,1778424,1778426,1778582,1778600,1779641,1779654,1779708,1779718,1779897,1779899,1780109,1780120,1780189,1780196,1780488,1780514-1780516,1780601,1780606,1780609-1780610,1780652,1780991,1780995-1780996,1781174,1781569,1781975,1781986,1782116,1782383-1782384,1782566,1782572,1782775,1782779,1782814,1782857,1782868,1782934,1782946-1782947,1782956,1783144-1783147,1783155,1783408,1784182,1784565,1784583,1784657,1784669,1784712,1784723,1784751,1784767,1784806,1784818,1784911,1784926,1784956,1784963,1785032,1785037,1785245,1785271,1785310,1785317,1785643,1785667,1785762,1785774,1785823,1785935,1786051,1786070,1786123-1786124,1786127,1786129,1786341,1786378,1786844,1787200,1787250,1787405,1787701,1787703,1787938,1787959,1787973,1788223-1788224,1788228,1788232,1788241-1788242,1788248,1788323,1788328,1788455,1788460,1788473,1788543-1788544,1788548,1788550,1788554,1788558,1788560,1788567,1788569,1788572,1788647,1788732,1788741,1788747,17887
 53,1788764,1788771,1788834,1788841,1788852,1788860,1788883,1788890,1789051,1789400,1789415,1789442-1789443,1789447,1789453,1789456,1789458,1789461-1789463,1789465-1789467,1789470,1789472,1789474,1789476,1789479-1789480,1789733,1789735,1789744-1789745,1789937,1789984,1790119,1790180,1790183,1790376,1790614,1790983,1790991,1791050,1791090,1791095-1791096,1791099,1791101-1791103,1791124,1791129,1791134,1791137,1791298,1791527,1791557,1791970,1792033,1792038,1792055,1792093,1792140,1792460

Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java?rev=1792461&r1=1792460&r2=1792461&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java Mon Apr
24 12:09:00 2017
@@ -78,7 +78,6 @@ public final class HTMLManagerServlet ex
 
     private static final long serialVersionUID = 1L;
 
-    static final URLEncoder URL_ENCODER;
     static final String APPLICATION_MESSAGE = "message";
     static final String APPLICATION_ERROR = "error";
 
@@ -86,12 +85,6 @@ public final class HTMLManagerServlet ex
     static final String sessionDetailJspPath = "/WEB-INF/jsp/sessionDetail.jsp";
     static final String connectorCiphersJspPath = "/WEB-INF/jsp/connectorCiphers.jsp";
 
-    static {
-        URL_ENCODER = new URLEncoder();
-        // '/' should not be encoded in context paths
-        URL_ENCODER.addSafeCharacter('/');
-    }
-
     private boolean showProxySessions = false;
 
     // --------------------------------------------------------- Public Methods
@@ -430,10 +423,10 @@ public final class HTMLManagerServlet ex
 
                 StringBuilder tmp = new StringBuilder();
                 tmp.append("path=");
-                tmp.append(URL_ENCODER.encode(displayPath, "UTF-8"));
+                tmp.append(URLEncoder.DEFAULT.encode(displayPath, "UTF-8"));
                 if (ctxt.getWebappVersion().length() > 0) {
                     tmp.append("&version=");
-                    tmp.append(URL_ENCODER.encode(ctxt.getWebappVersion(), "UTF-8"));
+                    tmp.append(URLEncoder.DEFAULT.encode(ctxt.getWebappVersion(), "UTF-8"));
                 }
                 String pathVersion = tmp.toString();
 
@@ -445,8 +438,8 @@ public final class HTMLManagerServlet ex
                 }
 
                 args = new Object[7];
-                args[0] = "<a href=\"" + URL_ENCODER.encode(contextPath + "/", "UTF-8")
-                        + "\">" + RequestUtil.filter(displayPath) + "</a>";
+                args[0] = "<a href=\"" + URLEncoder.DEFAULT.encode(contextPath + "/",
"UTF-8") +
+                        "\">" + RequestUtil.filter(displayPath) + "</a>";
                 if ("".equals(ctxt.getWebappVersion())) {
                     args[1] = noVersion;
                 } else {

Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/ssi/SSIMediator.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/ssi/SSIMediator.java?rev=1792461&r1=1792460&r2=1792461&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/ssi/SSIMediator.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/ssi/SSIMediator.java Mon Apr 24 12:09:00
2017
@@ -43,7 +43,6 @@ public class SSIMediator {
     protected static final String DEFAULT_CONFIG_ERR_MSG = "[an error occurred while processing
this directive]";
     protected static final String DEFAULT_CONFIG_TIME_FMT = "%A, %d-%b-%Y %T %Z";
     protected static final String DEFAULT_CONFIG_SIZE_FMT = "abbrev";
-    protected static final URLEncoder urlEncoder;
     protected String configErrMsg = DEFAULT_CONFIG_ERR_MSG;
     protected String configTimeFmt = DEFAULT_CONFIG_TIME_FMT;
     protected String configSizeFmt = DEFAULT_CONFIG_SIZE_FMT;
@@ -52,22 +51,6 @@ public class SSIMediator {
     protected final long lastModifiedDate;
     protected Strftime strftime;
     protected final SSIConditionalState conditionalState = new SSIConditionalState();
-    static {
-        //We try to encode only the same characters that apache does
-        urlEncoder = new URLEncoder();
-        urlEncoder.addSafeCharacter(',');
-        urlEncoder.addSafeCharacter(':');
-        urlEncoder.addSafeCharacter('-');
-        urlEncoder.addSafeCharacter('_');
-        urlEncoder.addSafeCharacter('.');
-        urlEncoder.addSafeCharacter('*');
-        urlEncoder.addSafeCharacter('/');
-        urlEncoder.addSafeCharacter('!');
-        urlEncoder.addSafeCharacter('~');
-        urlEncoder.addSafeCharacter('\'');
-        urlEncoder.addSafeCharacter('(');
-        urlEncoder.addSafeCharacter(')');
-    }
 
 
     public SSIMediator(SSIExternalResolver ssiExternalResolver,
@@ -296,7 +279,7 @@ public class SSIMediator {
     protected String encode(String value, String encoding) {
         String retVal = null;
         if (encoding.equalsIgnoreCase("url")) {
-            retVal = urlEncoder.encode(value, "UTF-8");
+            retVal = URLEncoder.DEFAULT.encode(value, "UTF-8");
         } else if (encoding.equalsIgnoreCase("none")) {
             retVal = value;
         } else if (encoding.equalsIgnoreCase("entity")) {

Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/util/URLEncoder.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/util/URLEncoder.java?rev=1792461&r1=1792460&r2=1792461&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/util/URLEncoder.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/util/URLEncoder.java Mon Apr 24 12:09:00
2017
@@ -39,17 +39,69 @@ public class URLEncoder {
      'A', 'B', 'C', 'D', 'E', 'F'};
 
     public static final URLEncoder DEFAULT = new URLEncoder();
+    public static final URLEncoder QUERY = new URLEncoder();
+
     static {
-        DEFAULT.addSafeCharacter('~');
+        /*
+         * Encoder for URI paths, so from the spec:
+         *
+         * pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
+         *
+         * unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
+         *
+         * sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
+         *              / "*" / "+" / "," / ";" / "="
+         */
+        // ALPHA and DIGIT are always treated as safe characters
+        // Add the remaining unreserved characters
         DEFAULT.addSafeCharacter('-');
-        DEFAULT.addSafeCharacter('_');
         DEFAULT.addSafeCharacter('.');
+        DEFAULT.addSafeCharacter('_');
+        DEFAULT.addSafeCharacter('~');
+        // Add the sub-delims
+        DEFAULT.addSafeCharacter('!');
+        DEFAULT.addSafeCharacter('$');
+        DEFAULT.addSafeCharacter('&');
+        DEFAULT.addSafeCharacter('\'');
+        DEFAULT.addSafeCharacter('(');
+        DEFAULT.addSafeCharacter(')');
         DEFAULT.addSafeCharacter('*');
+        DEFAULT.addSafeCharacter('+');
+        DEFAULT.addSafeCharacter(',');
+        DEFAULT.addSafeCharacter(';');
+        DEFAULT.addSafeCharacter('=');
+        // Add the remaining literals
+        DEFAULT.addSafeCharacter(':');
+        DEFAULT.addSafeCharacter('@');
+        // Add '/' so it isn't encoded when we encode a path
         DEFAULT.addSafeCharacter('/');
+
+        /*
+         * Encoder for query strings
+         * https://www.w3.org/TR/html5/forms.html#application/x-www-form-urlencoded-encoding-algorithm
+         * 0x20 ' ' -> '+'
+         * 0x2A, 0x2D, 0x2E, 0x30 to 0x39, 0x41 to 0x5A, 0x5F, 0x61 to 0x7A as-is
+         * '*',  '-',  '.',  '0'  to '9',  'A'  to 'Z',  '_',  'a'  to 'z'
+         * Also '=' and '&' are not encoded
+         * Everything else %nn encoded
+         */
+        // Special encoding for space
+        QUERY.setEncodeSpaceAsPlus(true);
+        // Alpha and digit are safe by default
+        // Add the other permitted characters
+        QUERY.addSafeCharacter('*');
+        QUERY.addSafeCharacter('-');
+        QUERY.addSafeCharacter('.');
+        QUERY.addSafeCharacter('_');
+        QUERY.addSafeCharacter('=');
+        QUERY.addSafeCharacter('&');
     }
 
     //Array containing the safe characters set.
-    protected final BitSet safeCharacters = new BitSet(256);
+    private final BitSet safeCharacters = new BitSet(256);
+
+    private boolean encodeSpaceAsPlus = false;
+
 
     public URLEncoder() {
         for (char i = 'a'; i <= 'z'; i++) {
@@ -63,11 +115,17 @@ public class URLEncoder {
         }
     }
 
+
     public void addSafeCharacter( char c ) {
         safeCharacters.set( c );
     }
 
 
+    public void setEncodeSpaceAsPlus(boolean encodeSpaceAsPlus) {
+        this.encodeSpaceAsPlus = encodeSpaceAsPlus;
+    }
+
+
     /**
      * URL encodes the provided path using UTF-8.
      *
@@ -107,6 +165,8 @@ public class URLEncoder {
             int c = path.charAt(i);
             if (safeCharacters.get(c)) {
                 rewrittenPath.append((char)c);
+            } else if (encodeSpaceAsPlus && c == ' ') {
+                rewrittenPath.append('+');
             } else {
                 // convert to external encoding before hex conversion
                 try {

Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/RewriteValve.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/RewriteValve.java?rev=1792461&r1=1792460&r2=1792461&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/RewriteValve.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/RewriteValve.java Mon Apr
24 12:09:00 2017
@@ -55,45 +55,6 @@ import org.apache.tomcat.util.http.Reque
 
 public class RewriteValve extends ValveBase {
 
-    static URLEncoder ENCODER = new URLEncoder();
-    static {
-        /*
-         * Replicates httpd's encoding
-         * Primarily aimed at encoding URI paths, so from the spec:
-         *
-         * pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
-         *
-         * unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
-         *
-         * sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
-         *              / "*" / "+" / "," / ";" / "="
-         */
-        // ALPHA and DIGIT are always treated as safe characters
-        // Add the remaining unreserved characters
-        ENCODER.addSafeCharacter('-');
-        ENCODER.addSafeCharacter('.');
-        ENCODER.addSafeCharacter('_');
-        ENCODER.addSafeCharacter('~');
-        // Add the sub-delims
-        ENCODER.addSafeCharacter('!');
-        ENCODER.addSafeCharacter('$');
-        ENCODER.addSafeCharacter('&');
-        ENCODER.addSafeCharacter('\'');
-        ENCODER.addSafeCharacter('(');
-        ENCODER.addSafeCharacter(')');
-        ENCODER.addSafeCharacter('*');
-        ENCODER.addSafeCharacter('+');
-        ENCODER.addSafeCharacter(',');
-        ENCODER.addSafeCharacter(';');
-        ENCODER.addSafeCharacter('=');
-        // Add the remaining literals
-        ENCODER.addSafeCharacter(':');
-        ENCODER.addSafeCharacter('@');
-        // Add '/' so it isn't encoded when we encode a path
-        ENCODER.addSafeCharacter('/');
-    }
-
-
     /**
      * The rewrite rules that the valve will use.
      */
@@ -399,7 +360,7 @@ public class RewriteValve extends ValveB
                     }
 
                     StringBuffer urlStringEncoded =
-                            new StringBuffer(ENCODER.encode(urlStringDecoded, uriEncoding));
+                            new StringBuffer(URLEncoder.DEFAULT.encode(urlStringDecoded,
uriEncoding));
                     if (originalQueryStringEncoded != null &&
                             originalQueryStringEncoded.length() > 0) {
                         if (rewrittenQueryStringDecoded == null) {
@@ -409,8 +370,8 @@ public class RewriteValve extends ValveB
                             if (qsa) {
                                 // if qsa is specified append the query
                                 urlStringEncoded.append('?');
-                                urlStringEncoded.append(
-                                        ENCODER.encode(rewrittenQueryStringDecoded, uriEncoding));
+                                urlStringEncoded.append(URLEncoder.QUERY.encode(
+                                        rewrittenQueryStringDecoded, uriEncoding));
                                 urlStringEncoded.append('&');
                                 urlStringEncoded.append(originalQueryStringEncoded);
                             } else if (index == urlStringEncoded.length() - 1) {
@@ -419,14 +380,14 @@ public class RewriteValve extends ValveB
                                 urlStringEncoded.deleteCharAt(index);
                             } else {
                                 urlStringEncoded.append('?');
-                                urlStringEncoded.append(
-                                        ENCODER.encode(rewrittenQueryStringDecoded, uriEncoding));
+                                urlStringEncoded.append(URLEncoder.QUERY.encode(
+                                        rewrittenQueryStringDecoded, uriEncoding));
                             }
                         }
                     } else if (rewrittenQueryStringDecoded != null) {
                         urlStringEncoded.append('?');
                         urlStringEncoded.append(
-                                ENCODER.encode(rewrittenQueryStringDecoded, uriEncoding));
+                                URLEncoder.QUERY.encode(rewrittenQueryStringDecoded, uriEncoding));
                     }
 
                     // Insert the context if
@@ -524,7 +485,7 @@ public class RewriteValve extends ValveB
                         // This is neither decoded nor normalized
                         chunk.append(contextPath);
                     }
-                    chunk.append(ENCODER.encode(urlStringDecoded, uriEncoding));
+                    chunk.append(URLEncoder.DEFAULT.encode(urlStringDecoded, uriEncoding));
                     request.getCoyoteRequest().requestURI().toChars();
                     // Decoded and normalized URI
                     // Rewriting may have denormalized the URL
@@ -543,7 +504,7 @@ public class RewriteValve extends ValveB
                         request.getCoyoteRequest().queryString().setString(null);
                         chunk = request.getCoyoteRequest().queryString().getCharChunk();
                         chunk.recycle();
-                        chunk.append(ENCODER.encode(queryStringDecoded, uriEncoding));
+                        chunk.append(URLEncoder.QUERY.encode(queryStringDecoded, uriEncoding));
                         if (qsa && originalQueryStringEncoded != null &&
                                 originalQueryStringEncoded.length() > 0) {
                             chunk.append('&');

Modified: tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/Substitution.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/Substitution.java?rev=1792461&r1=1792460&r2=1792461&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/Substitution.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/catalina/valves/rewrite/Substitution.java Mon Apr
24 12:09:00 2017
@@ -20,6 +20,8 @@ import java.util.ArrayList;
 import java.util.Map;
 import java.util.regex.Matcher;
 
+import org.apache.catalina.util.URLEncoder;
+
 public class Substitution {
 
     public abstract class SubstitutionElement {
@@ -49,7 +51,7 @@ public class Substitution {
                 //       We might want to consider providing a dedicated decoder
                 //       with an option to add additional safe characters to
                 //       provide users with more flexibility
-                return RewriteValve.ENCODER.encode(result, resolver.getUriEncoding());
+                return URLEncoder.DEFAULT.encode(result, resolver.getUriEncoding());
             } else {
                 return result;
             }

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1792461&r1=1792460&r2=1792461&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Mon Apr 24 12:09:00 2017
@@ -54,6 +54,15 @@
       </add>
     </changelog>
   </subsection>
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        Review those places where Tomcat re-encodes a URI or URI component and
+        ensure that that correct encoding (path differs from query string) is
+        applied and that the encoding is applied consistently. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Jasper">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message