You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/07/30 11:26:36 UTC
svn commit: r680947 - in /tomcat:
connectors/trunk/coyote/src/java/org/apache/coyote/
connectors/trunk/http11/src/java/org/apache/coyote/http11/
connectors/trunk/jk/java/org/apache/coyote/ajp/
connectors/trunk/jk/java/org/apache/jk/common/ container/tc...
Author: markt
Date: Wed Jul 30 02:26:27 2008
New Revision: 680947
URL: http://svn.apache.org/viewvc?rev=680947&view=rev
Log:
Port r673834 to 5.5.x
Make filtering of \r and \n in headers consistent for all connectors.
Make handling of 404s consistent across components.
Provide option to include custom status message in headers. SRV.5.3 suggests custom messages are intended for the body of the response, not the status line.
Modified:
tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/Constants.java
tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java
tomcat/connectors/trunk/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml
Modified: tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/Constants.java
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/Constants.java?rev=680947&r1=680946&r2=680947&view=diff
==============================================================================
--- tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/Constants.java (original)
+++ tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/Constants.java Wed Jul 30 02:26:27 2008
@@ -53,4 +53,12 @@
public static final int STAGE_ENDED = 7;
+ /**
+ * If true, custom HTTP status messages will be used in headers.
+ */
+ public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+ Boolean.valueOf(System.getProperty(
+ "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER",
+ "false")).booleanValue();
+
}
Modified: tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java?rev=680947&r1=680946&r2=680947&view=diff
==============================================================================
--- tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java (original)
+++ tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java Wed Jul 30 02:26:27 2008
@@ -429,11 +429,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
write(HttpMessages.getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java?rev=680947&r1=680946&r2=680947&view=diff
==============================================================================
--- tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java (original)
+++ tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java Wed Jul 30 02:26:27 2008
@@ -448,11 +448,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
write(getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: tomcat/connectors/trunk/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=680947&r1=680946&r2=680947&view=diff
==============================================================================
--- tomcat/connectors/trunk/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java (original)
+++ tomcat/connectors/trunk/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java Wed Jul 30 02:26:27 2008
@@ -942,7 +942,10 @@
// HTTP header contents
responseHeaderMessage.appendInt(response.getStatus());
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null){
message = HttpMessages.getMessage(response.getStatus());
} else {
Modified: tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java?rev=680947&r1=680946&r2=680947&view=diff
==============================================================================
--- tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java (original)
+++ tomcat/connectors/trunk/jk/java/org/apache/jk/common/JkInputStream.java Wed Jul 30 02:26:27 2008
@@ -279,7 +279,10 @@
outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS);
outputMsg.appendInt( res.getStatus() );
- String message=res.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = res.getMessage();
+ }
if( message==null ){
message= HttpMessages.getMessage(res.getStatus());
} else {
Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContextValve.java?rev=680947&r1=680946&r2=680947&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContextValve.java (original)
+++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContextValve.java Wed Jul 30 02:26:27 2008
@@ -119,8 +119,7 @@
|| (requestPathMB.equalsIgnoreCase("/META-INF"))
|| (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
|| (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
}
@@ -136,8 +135,7 @@
// Select the Wrapper to be used for this Request
Wrapper wrapper = request.getWrapper();
if (wrapper == null) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
}
@@ -206,13 +204,12 @@
* application, but currently that code runs at the wrapper level rather
* than the context level.
*
- * @param requestURI The request URI for the requested resource
* @param response The response we are creating
*/
- private void notFound(String requestURI, HttpServletResponse response) {
+ private void notFound(HttpServletResponse response) {
try {
- response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI);
+ response.sendError(HttpServletResponse.SC_NOT_FOUND);
} catch (IllegalStateException e) {
;
} catch (IOException e) {
Modified: tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml?rev=680947&r1=680946&r2=680947&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/config/systemprops.xml Wed Jul 30 02:26:27 2008
@@ -74,6 +74,14 @@
be used.</p>
</property>
+ <property
+ name="org.apache.coyote. USE_CUSTOM_STATUS_MSG_IN_HEADER"><p>If this is
+ <code>true</code> custom HTTP status messages will be used within HTTP
+ headers. Users must ensure that any such message is ISO-8859-1 encoded,
+ particularly if user provided input is included in the message, to prevent
+ a possible XSS vulnerability. If not specified the default value of
+ <code>false</code> will be used.</p>
+ </property>
</properties>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org