You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by am...@apache.org on 2003/12/09 01:50:58 UTC
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
amyroh 2003/12/08 16:50:58
Modified: catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Strip out uri parameters (";*") during filter mappings or security constraints matching - bugtraq 4903209.
Revision Changes Path
1.18 +16 -4 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- RealmBase.java 2 Sep 2003 21:22:05 -0000 1.17
+++ RealmBase.java 9 Dec 2003 00:50:58 -0000 1.18
@@ -460,6 +460,18 @@
String contextPath = hreq.getContextPath();
if (contextPath.length() > 0)
uri = uri.substring(contextPath.length());
+
+ if (uri != null) {
+ int semicolon = uri.indexOf(";");
+ if (semicolon >= 0) {
+ String baseuri = uri.substring(0, semicolon);
+ if (debug >= 2)
+ log("Request uri '" + uri + "' treated as '" + baseuri +
+ "' for security constraint matching.");
+ uri = baseuri;
+ }
+ }
+
String method = hreq.getMethod();
for (int i = 0; i < constraints.length; i++) {
if (log.isDebugEnabled())
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm
RealmBase.java
Posted by Remy Maucherat <re...@apache.org>.
amyroh@apache.org wrote:
> amyroh 2003/12/08 16:50:58
>
> Modified: catalina/src/share/org/apache/catalina/realm RealmBase.java
> Log:
> Strip out uri parameters (";*") during filter mappings or security constraints matching - bugtraq 4903209.
-1 for all these patches. I'd like an explanation of what the problem
actually is (all URI parameters are stripped early on before going in
the Catalina pipeline).
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org