tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk Ooms <dir...@gmail.com>
Subject Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST
Date Fri, 04 May 2018 07:17:55 GMT
Thanks for fixing this. Happy to help.

On 3 May 2018 at 21:31, Mark Thomas <markt@apache.org> wrote:

> On 03/05/18 20:17, Mark Thomas wrote:
> > On 02/05/18 16:08, Dirk Ooms wrote:
> >> Mark,
> >>
> >> you can reproduce it using the FormAuthentication example in the
> >> examples (http://localhost:8080/examples/jsp/security/protected/)
> >>
> >> edit index.jsp
> >> 1. add the line "RequestURI: <%= request.getRequestURI() %><br><br>"
in
> >> begin of body
> >> 2. change the method of the form from GET to POST
> >>
> >> scenario:
> >> 1. go to http://localhost:8080/examples/jsp/security/protected/
> >> 2. log in
> >> 3. open second tab/window to same url
> >> 4. log out in second tab/window
> >> 5. go to initial window and submit form
> >> 6. log in again
> >> 7. observe the malformed requestURI
> >
> > Thanks for the reproduction steps. They were a huge help.
> >
> > This was introduced in 8.5.x with some refactoring that reduced copying
> > between I/O buffers during request processing. Essentially, the saved
> > request body was over-writing the cached bytes for the URI.
>
> Correction. It affects 8.0.x and earlier as well.
>
> I'll back port the fix for 8.0.x and 7.0.x.
>
> Mark
>
>
> >
> > I'll be committing a fix shortly which will be available in 9.0.9 and
> > 8.5.32 onwards.
> >
> > Mark
> >
> >
> >>
> >> see also attached screenshots (if they make it to the mailing list).
> >>
> >> dirk
> >>
> >>
> >> On 1 May 2018 at 16:20, Dirk Ooms <dirk42@gmail.com
> >> <mailto:dirk42@gmail.com>> wrote:
> >>
> >>     apologies for the incomplete info. it is tomcat 9.0.6
> >>
> >>     i will try to set up a test case and get back to you.
> >>
> >>     dirk
> >>
> >>
> >>     On 1 May 2018 at 16:07, Mark Thomas <markt@apache.org
> >>     <mailto:markt@apache.org>> wrote:
> >>
> >>         On 01/05/18 14:36, Dirk Ooms wrote:
> >>         > Hello,
> >>         >
> >>         > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
> j_security_check.
> >>         >
> >>         > in tomcat5.5 when a user was not logged in and he/she
> requested a url, the
> >>         > login page was returned and after logging in the user was
> given the
> >>         > requested resource. when i requested request.getRequestURI()
> in my code the
> >>         > returned uri was correct for both GET and POST.
> >>         >
> >>         > in tomcat9 this is not the case anymore for POST (for GET
> still ok). when i
> >>         > call request.getRequestURI() after the user is logged in, it
> returns
> >>         > "chString" in my case, which is a part of the name of the
> first form field
> >>         > ("searchString") of the original POST.
> >>         >
> >>         > any idea? am i missing something?
> >>
> >>         The exact Tomcat 9 version.
> >>
> >>         A test case that demonstrates the issue.
> >>
> >>         Mark
> >>
> >>         ------------------------------------------------------------
> ---------
> >>         To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>         <mailto:users-unsubscribe@tomcat.apache.org>
> >>         For additional commands, e-mail: users-help@tomcat.apache.org
> >>         <mailto:users-help@tomcat.apache.org>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message