You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@apache.org on 2001/07/16 01:09:31 UTC

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request AccessInterceptor.java

costin      01/07/15 16:09:31

  Modified:    src/etc  Tag: tomcat_32 server.xml
               src/share/org/apache/tomcat/request Tag: tomcat_32
                        AccessInterceptor.java
  Log:
  Remove the xml:debug ( it creates problems when xerces is used )
  
  Added extra check for "//" in URLs. A better fix will be made in 3.3
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.29.2.11 +3 -2      jakarta-tomcat/src/etc/server.xml
  
  Index: server.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/etc/server.xml,v
  retrieving revision 1.29.2.10
  retrieving revision 1.29.2.11
  diff -u -r1.29.2.10 -r1.29.2.11
  --- server.xml	2000/11/18 02:01:01	1.29.2.10
  +++ server.xml	2001/07/15 23:09:31	1.29.2.11
  @@ -1,9 +1,10 @@
   <?xml version="1.0" encoding="ISO-8859-1"?>
   
   <Server>
  -    <!-- Debug low-level events in XmlMapper startup -->
  +    <!-- Debug low-level events in XmlMapper startup 
       <xmlmapper:debug level="0" />
  -
  +    -->
  +    
       <!-- 
   
       Logging:
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.12.2.8  +5 -0      jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/AccessInterceptor.java
  
  Index: AccessInterceptor.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/AccessInterceptor.java,v
  retrieving revision 1.12.2.7
  retrieving revision 1.12.2.8
  diff -u -r1.12.2.7 -r1.12.2.8
  --- AccessInterceptor.java	2001/02/16 19:34:11	1.12.2.7
  +++ AccessInterceptor.java	2001/07/15 23:09:31	1.12.2.8
  @@ -252,6 +252,11 @@
   	if( ctxSec.patterns==0 ) return 0; // fast exit
   	
   	String reqURI = req.getRequestURI();
  +	// Servlet spec would allow it to pass. A better fix is to "normalize"
  +	// the URL
  +	if( reqURI.indexOf( "//" ) >= 0 )
  +	    return 403;
  +
   	String ctxPath= ctx.getPath();
   	String path=reqURI.substring( ctxPath.length());
   	String method=req.getMethod();