You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/05/03 19:18:24 UTC

svn commit: r1830861 - in /tomcat/trunk: java/org/apache/catalina/authenticator/FormAuthenticator.java webapps/docs/changelog.xml

Author: markt
Date: Thu May  3 19:18:24 2018
New Revision: 1830861

URL: http://svn.apache.org/viewvc?rev=1830861&view=rev
Log:
When restoring a saved request with a request body after FORM authentication, ensure that calls to the  HttpServletRequest methods getRequestURI(), getQueryString() and getProtocol() are not corrupted by the processing of the saved request body.

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1830861&r1=1830860&r2=1830861&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Thu May  3 19:18:24 2018
@@ -611,6 +611,18 @@ public class FormAuthenticator
         }
 
         request.getCoyoteRequest().method().setString(method);
+        // The method, URI, queryString and protocol are normally stored as
+        // bytes in the HttpInputBuffer and converted lazily to String. At this
+        // point, the method has already been set as String in the line above
+        // but the URI, queryString and protocol are still in byte form in the
+        // HttpInputBuffer. Processing the saved request body will overwrite
+        // these bytes. Configuring the HttpInputBuffer to retain these bytes as
+        // it would in a normal request would require some invasive API changes.
+        // Therefore force the conversion to String now so the correct values
+        // are presented if the application requests them.
+        request.getRequestURI();
+        request.getQueryString();
+        request.getProtocol();
 
         return true;
     }
@@ -702,6 +714,4 @@ public class FormAuthenticator
         }
         return sb.toString();
     }
-
-
 }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1830861&r1=1830860&r2=1830861&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu May  3 19:18:24 2018
@@ -60,6 +60,13 @@
         for a match using JavaBean property names and then, only if a match is
         not found, look for a match using fields. (markt)
       </fix>
+      <fix>
+        When restoring a saved request with a request body after FORM
+        authentication, ensure that calls to the <code>HttpServletRequest</code>
+        methods <code>getRequestURI()</code>, <code>getQueryString()</code> and
+        <code>getProtocol()</code> are not corrupted by the processing of the
+        saved request body. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org