You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cs...@apache.org on 2017/02/08 19:40:52 UTC

svn commit: r1782240 - in /tomcat/tc8.5.x/trunk: conf/catalina.properties java/org/apache/tomcat/util/http/parser/HttpParser.java java/org/apache/tomcat/util/http/parser/LocalStrings.properties webapps/docs/config/systemprops.xml

Author: csutherl
Date: Wed Feb  8 19:40:51 2017
New Revision: 1782240

URL: http://svn.apache.org/viewvc?rev=1782240&view=rev
Log:
Followup commit for r1782037, adding warnings and StringManager

Modified:
    tomcat/tc8.5.x/trunk/conf/catalina.properties
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties
    tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml

Modified: tomcat/tc8.5.x/trunk/conf/catalina.properties
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/conf/catalina.properties?rev=1782240&r1=1782239&r2=1782240&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/conf/catalina.properties (original)
+++ tomcat/tc8.5.x/trunk/conf/catalina.properties Wed Feb  8 19:40:51 2017
@@ -148,4 +148,5 @@ tomcat.util.buf.StringCache.byte.enabled
 #tomcat.util.buf.StringCache.cacheSize=5000
 
 # Allow for changes to HTTP request validation
+# WARNING: Using this option will expose the server to CVE-2016-6816
 #tomcat.util.http.parser.HttpParser.requestTargetAllow=|

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?rev=1782240&r1=1782239&r2=1782240&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java Wed Feb  8 19:40:51 2017
@@ -22,6 +22,8 @@ import java.io.StringReader;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 
+import org.apache.tomcat.util.res.StringManager;
+
 /**
  * HTTP header value parser implementation. Parsing HTTP headers as per RFC2616
  * is not always as simple as it first appears. For headers that only use tokens
@@ -37,6 +39,8 @@ import org.apache.juli.logging.LogFactor
  */
 public class HttpParser {
 
+    private static final StringManager sm = StringManager.getManager(HttpParser.class);
+
     private static final Log log = LogFactory.getLog(HttpParser.class);
 
     private static final int ARRAY_SIZE = 128;
@@ -57,8 +61,7 @@ public class HttpParser {
                 if (c == '{' || c == '}' || c == '|') {
                     REQUEST_TARGET_ALLOW[c] = true;
                 } else {
-                    log.warn("HttpParser: Character '" + c + "' is not allowed and will continue "
-                        + "being rejected.");
+                    log.warn(sm.getString("httpparser.invalidRequestTargetCharacter", c));
                 }
             }
         }

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties?rev=1782240&r1=1782239&r2=1782240&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties Wed Feb  8 19:40:51 2017
@@ -17,4 +17,5 @@ authorization.unknownType=Unknown Type [
 cookie.fallToDebug=Note: further occurrences of this error will be logged at DEBUG level.
 cookie.invalidCookieValue=A cookie header was received [{0}] that contained an invalid cookie. That cookie will be ignored.
 cookie.invalidCookieVersion=A cookie header was received using an unrecognised cookie version of [{0}]. The header and the cookies it contains will be ignored.
-cookie.valueNotPresent=<not present>
\ No newline at end of file
+cookie.valueNotPresent=<not present>
+httpparser.invalidRequestTargetCharacter=Character [{0}] is not allowed and will continue to be rejected.

Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml?rev=1782240&r1=1782239&r2=1782240&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml Wed Feb  8 19:40:51 2017
@@ -644,6 +644,8 @@
       These characters would normally result in a 400 status.</p>
       <p>The acceptable characters for this property are: <code>|</code>, <code>{</code>
       , and <code>}</code></p>
+      <p><strong>WARNING</strong>: Use of this option will expose the server to CVE-2016-6816.
+      </p>
       <p>If not specified, the default value of <code>null</code> will be used.</p>
     </property>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org