You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/04/24 10:29:35 UTC
svn commit: r1589634 - in /tomcat/tc7.0.x/trunk: ./
java/org/apache/catalina/core/StandardContext.java webapps/docs/changelog.xml
Author: markt
Date: Thu Apr 24 08:29:34 2014
New Revision: 1589634
URL: http://svn.apache.org/r1589634
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56430
Extend checks for suspicious URL patterns to include patterns of the form <code>*.a.b</code> which are not valid patterns for extension mappings.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1589633
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1589634&r1=1589633&r2=1589634&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardContext.java Thu Apr 24 08:29:34 2014
@@ -6364,11 +6364,15 @@ public class StandardContext extends Con
*/
private void checkUnusualURLPattern(String urlPattern) {
if (log.isInfoEnabled()) {
- if(urlPattern.endsWith("*") && (urlPattern.length() < 2 ||
- urlPattern.charAt(urlPattern.length()-2) != '/')) {
+ // First group checks for '*' or '/foo*' style patterns
+ // Second group checks for *.foo.bar style patterns
+ if((urlPattern.endsWith("*") && (urlPattern.length() < 2 ||
+ urlPattern.charAt(urlPattern.length()-2) != '/')) ||
+ urlPattern.startsWith("*.") && urlPattern.length() > 2 &&
+ urlPattern.lastIndexOf('.') > 1) {
log.info("Suspicious url pattern: \"" + urlPattern + "\"" +
" in context [" + getName() + "] - see" +
- " section SRV.11.2 of the Servlet specification" );
+ " sections 12.1 and 12.2 of the Servlet specification");
}
}
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1589634&r1=1589633&r2=1589634&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Apr 24 08:29:34 2014
@@ -101,6 +101,11 @@
systems if a file named <code>\</code> is encountered when scanning for
TLDs. (markt)
</fix>
+ <add>
+ <bug>56430</bug>: Extend checks for suspicious URL patterns to include
+ patterns of the form <code>*.a.b</code> which are not valid patterns for
+ extension mappings. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org