tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST
Date Thu, 03 May 2018 19:31:03 GMT
On 03/05/18 20:17, Mark Thomas wrote:
> On 02/05/18 16:08, Dirk Ooms wrote:
>> Mark,
>>
>> you can reproduce it using the FormAuthentication example in the
>> examples (http://localhost:8080/examples/jsp/security/protected/)
>>
>> edit index.jsp
>> 1. add the line "RequestURI: <%= request.getRequestURI() %><br><br>"
in
>> begin of body
>> 2. change the method of the form from GET to POST
>>
>> scenario:
>> 1. go to http://localhost:8080/examples/jsp/security/protected/
>> 2. log in
>> 3. open second tab/window to same url
>> 4. log out in second tab/window
>> 5. go to initial window and submit form
>> 6. log in again
>> 7. observe the malformed requestURI
> 
> Thanks for the reproduction steps. They were a huge help.
> 
> This was introduced in 8.5.x with some refactoring that reduced copying
> between I/O buffers during request processing. Essentially, the saved
> request body was over-writing the cached bytes for the URI.

Correction. It affects 8.0.x and earlier as well.

I'll back port the fix for 8.0.x and 7.0.x.

Mark


> 
> I'll be committing a fix shortly which will be available in 9.0.9 and
> 8.5.32 onwards.
> 
> Mark
> 
> 
>>
>> see also attached screenshots (if they make it to the mailing list).
>>
>> dirk
>>
>>
>> On 1 May 2018 at 16:20, Dirk Ooms <dirk42@gmail.com
>> <mailto:dirk42@gmail.com>> wrote:
>>
>>     apologies for the incomplete info. it is tomcat 9.0.6
>>
>>     i will try to set up a test case and get back to you.
>>
>>     dirk
>>
>>
>>     On 1 May 2018 at 16:07, Mark Thomas <markt@apache.org
>>     <mailto:markt@apache.org>> wrote:
>>
>>         On 01/05/18 14:36, Dirk Ooms wrote:
>>         > Hello,
>>         > 
>>         > i did an upgrade from tomcat5.5 to tomcat9 and i'm using j_security_check.
>>         > 
>>         > in tomcat5.5 when a user was not logged in and he/she requested a url,
the
>>         > login page was returned and after logging in the user was given the
>>         > requested resource. when i requested request.getRequestURI() in my code
the
>>         > returned uri was correct for both GET and POST.
>>         > 
>>         > in tomcat9 this is not the case anymore for POST (for GET still ok).
when i
>>         > call request.getRequestURI() after the user is logged in, it returns
>>         > "chString" in my case, which is a part of the name of the first form
field
>>         > ("searchString") of the original POST.
>>         > 
>>         > any idea? am i missing something?
>>
>>         The exact Tomcat 9 version.
>>
>>         A test case that demonstrates the issue.
>>
>>         Mark
>>
>>         ---------------------------------------------------------------------
>>         To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>         <mailto:users-unsubscribe@tomcat.apache.org>
>>         For additional commands, e-mail: users-help@tomcat.apache.org
>>         <mailto:users-help@tomcat.apache.org>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message