tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rémy Maucherat <r...@apache.org>
Subject Re: svn commit: r1733080 - in /tomcat/trunk: java/org/apache/tomcat/util/buf/UriUtil.java webapps/docs/changelog.xml
Date Tue, 01 Mar 2016 15:17:00 GMT
2016-03-01 15:57 GMT+01:00 Martin Grigorov <mgrigorov@apache.org>:

> Hi Mark,
>
> On Tue, Mar 1, 2016 at 3:37 PM, <markt@apache.org> wrote:
>
> > Author: markt
> > Date: Tue Mar  1 14:37:46 2016
> > New Revision: 1733080
> >
> > URL: http://svn.apache.org/viewvc?rev=1733080&view=rev
> > Log:
> > Expand the fix for BZ 59001 to cover the special sequences used in
> > Tomcat's custom jar:war: URL
> >
> > Modified:
> >     tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java
> >     tomcat/trunk/webapps/docs/changelog.xml
> >
> > Modified: tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java
> > URL:
> >
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java?rev=1733080&r1=1733079&r2=1733080&view=diff
> >
> >
> ==============================================================================
> > --- tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java (original)
> > +++ tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java Tue Mar  1
> > 14:37:46 2016
> > @@ -106,6 +106,9 @@ public final class UriUtil {
> >      private static String makeSafeForJarUrl(String input) {
> >
>
>
>
> >          // Since "!/" has a special meaning in a JAR URL, make sure that
> > the
> >          // sequence is properly escaped if present.
> > -        return input.replaceAll("!/", "%21/");
> > +        String tmp = input.replaceAll("!/", "%21/");
> > +        // Tomcat's custom jar:war: URL handling treats */ and ^/ as
> > special
> > +        tmp = tmp.replaceAll("^/", "%5e/");
> > +        return tmp.replaceAll("\\*/", "%2a/");
> >
>
> How often this method is expected to be called? I guess at least once per
> request.
>

No, it's supposed to be an init "scan" method, not a once per request.
OTOH, sometimes there are like thousands of jars, so if it's really that
slow ...

Rémy

>
> My concern is about the performance of String#replaceAll. It uses Regex and
> is slower than custom solutions like
>
> https://github.com/apache/wicket/blob/ffa34c6bfbd2ccd8340e23ff1601edd3e0e941d6/wicket-util/src/main/java/org/apache/wicket/util/string/Strings.java#L748
>
> When I don't have access to such util methods in the classpath then I
> prefer to pre-compile the Pattern as a constant and just match on it:
> e.g. PERCENT_21_PATTERN.matcher(input).replaceAll("%21/")
>
> Additionally I have the feeling that 'tmp.replaceAll("^/", "%5e/");' won't
> behave as desired. I think it would match for any String that starts with a
> slash because of '^'. You may need to Pattern.quote() it.
>
>
> >      }
> >  }
> >
> > Modified: tomcat/trunk/webapps/docs/changelog.xml
> > URL:
> >
> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1733080&r1=1733079&r2=1733080&view=diff
> >
> >
> ==============================================================================
> > --- tomcat/trunk/webapps/docs/changelog.xml (original)
> > +++ tomcat/trunk/webapps/docs/changelog.xml Tue Mar  1 14:37:46 2016
> > @@ -107,6 +107,10 @@
> >          <bug>59001</bug>: Correctly handle the case when Tomcat is
> > installed on
> >          a path where one of the segments ends in an exclamation mark.
> > (markt)
> >        </fix>
> > +      <fix>
> > +        Expand the fix for <bug>59001</bug> to cover the special
> > sequences used
> > +        in Tomcat&apos;s custom jar:war: URLs. (markt)
> > +      </fix>
> >        <update>
> >          Switch to the web application class loader to the
> >          <code>ParallelWebappClassLoader</code> by default. (markt)
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message