You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cs...@apache.org on 2017/02/08 19:40:52 UTC
svn commit: r1782240 - in /tomcat/tc8.5.x/trunk: conf/catalina.properties
java/org/apache/tomcat/util/http/parser/HttpParser.java
java/org/apache/tomcat/util/http/parser/LocalStrings.properties
webapps/docs/config/systemprops.xml
Author: csutherl
Date: Wed Feb 8 19:40:51 2017
New Revision: 1782240
URL: http://svn.apache.org/viewvc?rev=1782240&view=rev
Log:
Followup commit for r1782037, adding warnings and StringManager
Modified:
tomcat/tc8.5.x/trunk/conf/catalina.properties
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties
tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml
Modified: tomcat/tc8.5.x/trunk/conf/catalina.properties
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/conf/catalina.properties?rev=1782240&r1=1782239&r2=1782240&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/conf/catalina.properties (original)
+++ tomcat/tc8.5.x/trunk/conf/catalina.properties Wed Feb 8 19:40:51 2017
@@ -148,4 +148,5 @@ tomcat.util.buf.StringCache.byte.enabled
#tomcat.util.buf.StringCache.cacheSize=5000
# Allow for changes to HTTP request validation
+# WARNING: Using this option will expose the server to CVE-2016-6816
#tomcat.util.http.parser.HttpParser.requestTargetAllow=|
Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?rev=1782240&r1=1782239&r2=1782240&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java Wed Feb 8 19:40:51 2017
@@ -22,6 +22,8 @@ import java.io.StringReader;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
/**
* HTTP header value parser implementation. Parsing HTTP headers as per RFC2616
* is not always as simple as it first appears. For headers that only use tokens
@@ -37,6 +39,8 @@ import org.apache.juli.logging.LogFactor
*/
public class HttpParser {
+ private static final StringManager sm = StringManager.getManager(HttpParser.class);
+
private static final Log log = LogFactory.getLog(HttpParser.class);
private static final int ARRAY_SIZE = 128;
@@ -57,8 +61,7 @@ public class HttpParser {
if (c == '{' || c == '}' || c == '|') {
REQUEST_TARGET_ALLOW[c] = true;
} else {
- log.warn("HttpParser: Character '" + c + "' is not allowed and will continue "
- + "being rejected.");
+ log.warn(sm.getString("httpparser.invalidRequestTargetCharacter", c));
}
}
}
Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties?rev=1782240&r1=1782239&r2=1782240&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties Wed Feb 8 19:40:51 2017
@@ -17,4 +17,5 @@ authorization.unknownType=Unknown Type [
cookie.fallToDebug=Note: further occurrences of this error will be logged at DEBUG level.
cookie.invalidCookieValue=A cookie header was received [{0}] that contained an invalid cookie. That cookie will be ignored.
cookie.invalidCookieVersion=A cookie header was received using an unrecognised cookie version of [{0}]. The header and the cookies it contains will be ignored.
-cookie.valueNotPresent=<not present>
\ No newline at end of file
+cookie.valueNotPresent=<not present>
+httpparser.invalidRequestTargetCharacter=Character [{0}] is not allowed and will continue to be rejected.
Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml?rev=1782240&r1=1782239&r2=1782240&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml Wed Feb 8 19:40:51 2017
@@ -644,6 +644,8 @@
These characters would normally result in a 400 status.</p>
<p>The acceptable characters for this property are: <code>|</code>, <code>{</code>
, and <code>}</code></p>
+ <p><strong>WARNING</strong>: Use of this option will expose the server to CVE-2016-6816.
+ </p>
<p>If not specified, the default value of <code>null</code> will be used.</p>
</property>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org