You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@apache.org on 2001/04/02 23:14:33 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi SsiMediator.java
craigmcc 01/04/02 14:14:33
Modified: catalina/src/share/org/apache/catalina/servlets
DefaultServlet.java SsiInvokerServlet.java
catalina/src/share/org/apache/catalina/util/ssi
SsiMediator.java
Log:
Update the comments in DefaultServlet to describe *why* URL decoding was
removed at this point.
The same vulnerability is possible in SsiInvokerServlet, so fix it there too.
Revision Changes Path
1.33 +16 -9 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
Index: DefaultServlet.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- DefaultServlet.java 2001/04/02 08:41:45 1.32
+++ DefaultServlet.java 2001/04/02 21:14:19 1.33
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v 1.32 2001/04/02 08:41:45 remm Exp $
- * $Revision: 1.32 $
- * $Date: 2001/04/02 08:41:45 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v 1.33 2001/04/02 21:14:19 craigmcc Exp $
+ * $Revision: 1.33 $
+ * $Date: 2001/04/02 21:14:19 $
*
* ====================================================================
*
@@ -122,7 +122,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.32 $ $Date: 2001/04/02 08:41:45 $
+ * @version $Revision: 1.33 $ $Date: 2001/04/02 21:14:19 $
*/
public class DefaultServlet
@@ -863,14 +863,21 @@
if (path == null)
return null;
- // Resolve encoded characters in the normalized path,
- // which also handles encoded spaces so we can skip that later.
- // Placed at the beginning of the chain so that encoded
- // bad stuff(tm) can be caught by the later checks
+ // Create a place for the normalized path
String normalized = path;
+
+ /*
+ * Commented out -- already URL-decoded in StandardContextMapper
+ * Decoding twice leaves the container vulnerable to %25 --> '%'
+ * attacks.
+ *
+ * if (normalized.indexOf('%') >= 0)
+ * normalized = RequestUtil.URLDecode(normalized, "UTF8");
+ */
+
if (normalized == null)
return (null);
-
+
// Normalize the slashes and add leading slash if necessary
if (normalized.indexOf('\\') >= 0)
normalized = normalized.replace('\\', '/');
1.3 +17 -10 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/SsiInvokerServlet.java
Index: SsiInvokerServlet.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/SsiInvokerServlet.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- SsiInvokerServlet.java 2001/03/27 20:44:24 1.2
+++ SsiInvokerServlet.java 2001/04/02 21:14:21 1.3
@@ -1,8 +1,8 @@
/*
* SsiInvokerServlet.java
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/SsiInvokerServlet.java,v 1.2 2001/03/27 20:44:24 amyroh Exp $
- * $Revision: 1.2 $
- * $Date: 2001/03/27 20:44:24 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/SsiInvokerServlet.java,v 1.3 2001/04/02 21:14:21 craigmcc Exp $
+ * $Revision: 1.3 $
+ * $Date: 2001/04/02 21:14:21 $
*
* ====================================================================
*
@@ -98,7 +98,7 @@
* Mapped to a path from within web.xml.
*
* @author Bip Thelin
- * @version $Revision: 1.2 $, $Date: 2001/03/27 20:44:24 $
+ * @version $Revision: 1.3 $, $Date: 2001/04/02 21:14:21 $
*/
public final class SsiInvokerServlet extends HttpServlet {
/** Debug level for this servlet. */
@@ -486,15 +486,22 @@
private String normalize(String path) {
if (path == null)
return null;
- // Resolve encoded characters in the normalized path,
- // which also handles encoded spaces so we can skip that later.
- // Placed at the beginning of the chain so that encoded
- // bad stuff(tm) can be caught by the later checks
+
+ // Create a place for the normalized path
String normalized = path;
- if (normalized.indexOf('%') >= 0)
- normalized = RequestUtil.URLDecode(normalized, "UTF8");
+
+ /*
+ * Commented out -- already URL-decoded in StandardContextMapper
+ * Decoding twice leaves the container vulnerable to %25 --> '%'
+ * attacks.
+ *
+ * if (normalized.indexOf('%') >= 0)
+ * normalized = RequestUtil.URLDecode(normalized, "UTF8");
+ */
+
if (normalized == null)
return (null);
+
// Normalize the slashes and add leading slash if necessary
if (normalized.indexOf('\\') >= 0)
normalized = normalized.replace('\\', '/');
1.2 +27 -17 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiMediator.java
Index: SsiMediator.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiMediator.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- SsiMediator.java 2001/03/27 20:38:00 1.1
+++ SsiMediator.java 2001/04/02 21:14:29 1.2
@@ -1,8 +1,8 @@
/*
* SsiMediator.java
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiMediator.java,v 1.1 2001/03/27 20:38:00 amyroh Exp $
- * $Revision: 1.1 $
- * $Date: 2001/03/27 20:38:00 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiMediator.java,v 1.2 2001/04/02 21:14:29 craigmcc Exp $
+ * $Revision: 1.2 $
+ * $Date: 2001/04/02 21:14:29 $
*
* ====================================================================
*
@@ -85,7 +85,7 @@
/**
* @author Bip Thelin
- * @version $Revision: 1.1 $, $Date: 2001/03/27 20:38:00 $
+ * @version $Revision: 1.2 $, $Date: 2001/04/02 21:14:29 $
*
*/
public class SsiMediator {
@@ -244,16 +244,21 @@
if (path == null)
return null;
- // Resolve encoded characters in the normalized path,
- // which also handles encoded spaces so we can skip that later.
- // Placed at the beginning of the chain so that encoded
- // bad stuff(tm) can be caught by the later checks
+ // Create a place for the normalized path
String normalized = path;
- if (normalized.indexOf('%') >= 0)
- normalized = RequestUtil.URLDecode(normalized, "UTF8");
+
+ /*
+ * Commented out -- already URL-decoded in StandardContextMapper
+ * Decoding twice leaves the container vulnerable to %25 --> '%'
+ * attacks.
+ *
+ * if (normalized.indexOf('%') >= 0)
+ * normalized = RequestUtil.URLDecode(normalized, "UTF8");
+ */
+
if (normalized == null)
return (null);
-
+
// Normalize the slashes and add leading slash if necessary
if (normalized.indexOf('\\') >= 0)
normalized = normalized.replace('\\', '/');
@@ -308,13 +313,18 @@
if (path == null)
return null;
- // Resolve encoded characters in the normalized path,
- // which also handles encoded spaces so we can skip that later.
- // Placed at the beginning of the chain so that encoded
- // bad stuff(tm) can be caught by the later checks
+ // Create a place for the normalized path
String normalized = path;
- if (normalized.indexOf('%') >= 0)
- normalized = RequestUtil.URLDecode(normalized, "UTF8");
+
+ /*
+ * Commented out -- already URL-decoded in StandardContextMapper
+ * Decoding twice leaves the container vulnerable to %25 --> '%'
+ * attacks.
+ *
+ * if (normalized.indexOf('%') >= 0)
+ * normalized = RequestUtil.URLDecode(normalized, "UTF8");
+ */
+
if (normalized == null)
return (null);