You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2011/11/17 08:55:08 UTC

svn commit: r1203091 - /tomcat/trunk/java/org/apache/tomcat/util/buf/UDecoder.java

Author: kkolinko
Date: Thu Nov 17 07:55:08 2011
New Revision: 1203091

URL: http://svn.apache.org/viewvc?rev=1203091&view=rev
Log:
- Align %2f handling (aka CVE-2007-0450 fix) between implementations of UDecoder.convert().
- Make convert(MessageBytes) to consistently throw an IOException, even if it calls convert(String).

convert(String) and convert(CharChunk) are rare cases with little impact
(and inherent bug: hardcoded handling of %xx as ISO-8859-1).

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/buf/UDecoder.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/buf/UDecoder.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/buf/UDecoder.java?rev=1203091&r1=1203090&r2=1203091&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/buf/UDecoder.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/buf/UDecoder.java Thu Nov 17 07:55:08 2011
@@ -92,7 +92,7 @@ public final class UDecoder {
             idx=idx2;
         }
 
-        boolean noSlash = !(ALLOW_ENCODED_SLASH || query);
+        final boolean noSlash = !(ALLOW_ENCODED_SLASH || query);
 
         for( int j=idx; j<end; j++, idx++ ) {
             if( buff[ j ] == '+' && query) {
@@ -160,6 +160,8 @@ public final class UDecoder {
             idx=idx2;
         }
 
+        final boolean noSlash = !(ALLOW_ENCODED_SLASH || query);
+
         for( int j=idx; j<cend; j++, idx++ ) {
             if( buff[ j ] == '+' && query ) {
                 buff[idx]=( ' ' );
@@ -179,6 +181,9 @@ public final class UDecoder {
 
                 j+=2;
                 int res=x2c( b1, b2 );
+                if (noSlash && (res == '/')) {
+                    throw EXCEPTION_SLASH;
+                }
                 buff[idx]=(char)res;
             }
         }
@@ -206,7 +211,11 @@ public final class UDecoder {
             if( strValue==null ) {
                 return;
             }
-            mb.setString( convert( strValue, query ));
+            try {
+                mb.setString( convert( strValue, query ));
+            } catch (RuntimeException ex) {
+                throw new DecodeException(ex.getMessage());
+            }
             break;
         case MessageBytes.T_CHARS:
             CharChunk charC=mb.getCharChunk();
@@ -236,6 +245,8 @@ public final class UDecoder {
             return str;
         }
 
+        final boolean noSlash = !(ALLOW_ENCODED_SLASH || query);
+
         StringBuilder dec = new StringBuilder();    // decoded string output
         int strPos = 0;
         int strLen = str.length();
@@ -273,8 +284,12 @@ public final class UDecoder {
                 // We throw the original exception - the super will deal with
                 // it
                 //                try {
-                dec.append((char)Integer.
-                           parseInt(str.substring(strPos + 1, strPos + 3),16));
+                char res = (char) Integer.parseInt(
+                        str.substring(strPos + 1, strPos + 3), 16);
+                if (noSlash && (res == '/')) {
+                    throw new IllegalArgumentException("noSlash");
+                }
+                dec.append(res);
                 strPos += 3;
             }
         }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org