You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by la...@apache.org on 2001/09/15 03:31:46 UTC
cvs commit: jakarta-tomcat/src/facade22/org/apache/tomcat/facade HttpServletRequestFacade.java
larryi 01/09/14 18:31:46
Modified: src/facade22/org/apache/tomcat/facade
HttpServletRequestFacade.java
Log:
Minimize vulnerability from SimpleDateFormat's non-thread safety.
Submitted by: Bill Barker <wb...@wilshire.com>
Revision Changes Path
1.27 +7 -1 jakarta-tomcat/src/facade22/org/apache/tomcat/facade/HttpServletRequestFacade.java
Index: HttpServletRequestFacade.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/facade22/org/apache/tomcat/facade/HttpServletRequestFacade.java,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- HttpServletRequestFacade.java 2001/08/12 02:48:57 1.26
+++ HttpServletRequestFacade.java 2001/09/15 01:31:45 1.27
@@ -70,6 +70,7 @@
import java.net.*;
import java.security.*;
import java.util.*;
+import java.text.*;
import javax.servlet.*;
import javax.servlet.http.*;
@@ -94,6 +95,11 @@
ServletInputStreamFacade isFacade=new ServletInputStreamFacade();
boolean isFacadeInitialized=false;
BufferedReader reader;
+ DateFormat []dateFormats = {
+ new SimpleDateFormat(DateTool.RFC1123_PATTERN),
+ new SimpleDateFormat(DateTool.rfc1036Pattern),
+ new SimpleDateFormat(DateTool.asctimePattern)
+ };
private boolean usingStream = false;
private boolean usingReader = false;
@@ -195,7 +201,7 @@
String value=request.getHeader( name );
if( value==null) return -1;
- long date=DateTool.parseDate(value);
+ long date=DateTool.parseDate(value,dateFormats);
if( date==-1) {
String msg = sm.getString("httpDate.pe", value);
throw new IllegalArgumentException(msg);