You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by am...@apache.org on 2003/12/09 01:50:58 UTC

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java

amyroh      2003/12/08 16:50:58

  Modified:    catalina/src/share/org/apache/catalina/realm RealmBase.java
  Log:
  Strip out uri parameters (";*") during filter mappings or security constraints matching - bugtraq 4903209.
  
  Revision  Changes    Path
  1.18      +16 -4     jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
  
  Index: RealmBase.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -r1.17 -r1.18
  --- RealmBase.java	2 Sep 2003 21:22:05 -0000	1.17
  +++ RealmBase.java	9 Dec 2003 00:50:58 -0000	1.18
  @@ -460,6 +460,18 @@
           String contextPath = hreq.getContextPath();
           if (contextPath.length() > 0)
               uri = uri.substring(contextPath.length());
  +        
  +        if (uri != null) {
  +            int semicolon = uri.indexOf(";");
  +            if (semicolon >= 0) {
  +                String baseuri = uri.substring(0, semicolon);
  +                if (debug >= 2)
  +                    log("Request uri '" + uri + "' treated as '" + baseuri +
  +                        "' for security constraint matching.");
  +                uri = baseuri;
  +            }
  +        }
  +        
           String method = hreq.getMethod();
           for (int i = 0; i < constraints.length; i++) {
               if (log.isDebugEnabled())
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java

Posted by Remy Maucherat <re...@apache.org>.

amyroh@apache.org wrote:
> amyroh      2003/12/08 16:50:58
> 
>   Modified:    catalina/src/share/org/apache/catalina/realm RealmBase.java
>   Log:
>   Strip out uri parameters (";*") during filter mappings or security constraints matching - bugtraq 4903209.

-1 for all these patches. I'd like an explanation of what the problem 
actually is (all URI parameters are stripped early on before going in 
the Catalina pipeline).

Rémy


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org