You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@apache.org on 2001/10/04 22:25:05 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers DecodeInterceptor.java
costin 01/10/04 13:25:05
Modified: src/share/org/apache/tomcat/modules/mappers
DecodeInterceptor.java
Log:
Do not decode if it was alredy decoded - i.e. if tomcat+web server.
For Http we need to decode, and also for eventual protocols that send the request
encoded.
Also, added an option ( defaulted to what we agreed ) to allow saving the 'original'
uri. Turning it on will bring inconsistencyes between tomcat standalone and
tomcat+web, and may be open to various security issues ( if the uri is used in any
check or processing, many encoding tricks could be played - we've been there ).
But it is the strict implementation of the 2.3 spec ( in the idea that 2.3 is
backward compat. with 2.2 ).
Revision Changes Path
1.10 +14 -4 jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java
Index: DecodeInterceptor.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- DecodeInterceptor.java 2001/09/29 04:36:35 1.9
+++ DecodeInterceptor.java 2001/10/04 20:25:05 1.10
@@ -89,7 +89,7 @@
private boolean normalize=true;
private boolean safe=true;
-
+ private boolean saveOriginal=false;
public DecodeInterceptor() {
}
@@ -118,6 +118,13 @@
normalize=b;
}
+ /** Save the original uri before decoding. Default is false,
+ * for consistency among servers.
+ */
+ public void setSaveOriginal( boolean b ) {
+ saveOriginal=b;
+ }
+
/** Decode interceptor can reject unsafe urls. These are
URL's containing the following escapes:
%25 = '%'
@@ -398,7 +405,7 @@
}
private boolean isSafeURI(MessageBytes pathMB) {
- int start = pathMB.indexOf("%");
+ int start = pathMB.indexOf('%');
if( start >= 0 ) {
int end = pathMB.indexOf(";jsessionid=");
if( end < 0 || start < end ) {
@@ -515,11 +522,14 @@
// Decode request, save the original for the facade
// Already decoded
- if( req.getNote( decodedNote ) != null )
+ if( req.getNote( decodedNote ) != null ) {
+ if( debug> 5 ) log("Already decoded " + req.getNote( decodedNote ));
return 0;
+ }
if (pathMB.indexOf('%') >= 0 || pathMB.indexOf( '+' ) >= 0) {
try {
- req.unparsedURI().duplicate( pathMB );
+ if( saveOriginal )
+ req.unparsedURI().duplicate( pathMB );
if(debug>1 )
log( "Before " + pathMB.toString());
req.getURLDecoder().convert( pathMB );