You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2006/07/20 18:01:42 UTC
svn commit: r423967 -
/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Author: remm
Date: Thu Jul 20 09:01:41 2006
New Revision: 423967
URL: http://svn.apache.org/viewvc?rev=423967&view=rev
Log:
- Changes to session id parsing so that it is done (as well as ";" path parameter stripping) before
decoding, making it possible to %xx encode ";" in the URL.
- This can probably be backported to 5.5.x.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=423967&r1=423966&r2=423967&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java Thu Jul 20 09:01:41 2006
@@ -293,11 +293,21 @@
req.serverName().setString(proxyName);
}
+ // Parse session Id
+ parseSessionId(req, request);
+
// URI decoding
MessageBytes decodedURI = req.decodedURI();
decodedURI.duplicate(req.requestURI());
if (decodedURI.getType() == MessageBytes.T_BYTES) {
+ // Remove any path parameters
+ ByteChunk uriBB = decodedURI.getByteChunk();
+ int semicolon = uriBB.indexOf(';', 0);
+ if (semicolon > 0) {
+ decodedURI.setBytes
+ (uriBB.getBuffer(), uriBB.getStart(), semicolon);
+ }
// %xx decoding of the URL
try {
req.getURLDecoder().convert(decodedURI, false);
@@ -319,6 +329,13 @@
// protocol handler, we have to assume the URL has been properly
// decoded already
decodedURI.toChars();
+ // Remove any path parameters
+ CharChunk uriCC = decodedURI.getCharChunk();
+ int semicolon = uriCC.indexOf(';');
+ if (semicolon > 0) {
+ decodedURI.setChars
+ (uriCC.getBuffer(), uriCC.getStart(), semicolon);
+ }
}
// Set the remote principal
@@ -333,19 +350,6 @@
request.setAuthType(authtype);
}
- // Parse session Id
- parseSessionId(req, request);
-
- // Remove any remaining parameters (other than session id, which has
- // already been removed in parseSessionId()) from the URI, so they
- // won't be considered by the mapping algorithm.
- CharChunk uriCC = decodedURI.getCharChunk();
- int semicolon = uriCC.indexOf(';');
- if (semicolon > 0) {
- decodedURI.setChars
- (uriCC.getBuffer(), uriCC.getStart(), semicolon);
- }
-
// Request mapping.
MessageBytes serverName;
if (connector.getUseIPVHosts()) {
@@ -420,49 +424,35 @@
*/
protected void parseSessionId(org.apache.coyote.Request req, Request request) {
- CharChunk uriCC = req.decodedURI().getCharChunk();
- int semicolon = uriCC.indexOf(match, 0, match.length(), 0);
+ ByteChunk uriBC = req.requestURI().getByteChunk();
+ int semicolon = uriBC.indexOf(match, 0, match.length(), 0);
if (semicolon > 0) {
// Parse session ID, and extract it from the decoded request URI
- int start = uriCC.getStart();
- int end = uriCC.getEnd();
+ int start = uriBC.getStart();
+ int end = uriBC.getEnd();
- int sessionIdStart = start + semicolon + match.length();
- int semicolon2 = uriCC.indexOf(';', sessionIdStart);
+ int sessionIdStart = semicolon + match.length();
+ int semicolon2 = uriBC.indexOf(';', sessionIdStart);
if (semicolon2 >= 0) {
request.setRequestedSessionId
- (new String(uriCC.getBuffer(), sessionIdStart,
- semicolon2 - semicolon - match.length()));
+ (new String(uriBC.getBuffer(), start + sessionIdStart,
+ semicolon2 - sessionIdStart));
+ // Extract session ID from request URI
+ byte[] buf = uriBC.getBuffer();
+ for (int i = 0; i < end - start - semicolon2; i++) {
+ buf[start + semicolon + i]
+ = buf[start + i + semicolon2];
+ }
+ uriBC.setBytes(buf, start, end - start - semicolon2 + semicolon);
} else {
request.setRequestedSessionId
- (new String(uriCC.getBuffer(), sessionIdStart,
- end - sessionIdStart));
- }
- request.setRequestedSessionURL(true);
-
- // Extract session ID from request URI
- ByteChunk uriBC = req.requestURI().getByteChunk();
- start = uriBC.getStart();
- end = uriBC.getEnd();
- semicolon = uriBC.indexOf(match, 0, match.length(), 0);
-
- if (semicolon > 0) {
- sessionIdStart = start + semicolon;
- semicolon2 = uriCC.indexOf
- (';', start + semicolon + match.length());
+ (new String(uriBC.getBuffer(), start + sessionIdStart,
+ (end - start) - sessionIdStart));
uriBC.setEnd(start + semicolon);
- byte[] buf = uriBC.getBuffer();
- if (semicolon2 >= 0) {
- for (int i = 0; i < end - start - semicolon2; i++) {
- buf[start + semicolon + i]
- = buf[start + i + semicolon2];
- }
- uriBC.setBytes(buf, start, semicolon
- + (end - start - semicolon2));
- }
}
+ request.setRequestedSessionURL(true);
} else {
request.setRequestedSessionId(null);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Jean-frederic Clere wrote:
>
> Returning to my example:
> JkMount /*.jsp worker1
> http://localhost/;jsp-examples/jsp2/;simpletag/;hello.jsp
>
> .jsp-examples simpletag and hello.jsp are parameters. (According to the
> 3.3 of the ref).
> So the mapping is
> //jsp2// -> no worker.
I would concur...
> http://localhost/jsp-examples;.titi/jsp2/simpletag;toto/hello.jsp;tutu
> .titi toto and tutu are parameters.
> And the mapping is:
> /jsp-examples/jsp2/simpletag/hello.jsp match worker1
I'm a little hesitant. I almost assure you that the typical configuration
is broken in this case, various <Files *.jsp> blocks, etc won't apply and
the administrator will be "surprised" by the results.
With that said, I'll add that I've always detested this particular mounting
semantic, since it was never really guarenteed that it would coincide with
the appropriate apache-side configuration directives, and so with that,
I'd say stay with your patch :)
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Remy Maucherat wrote:
> Jean-frederic Clere wrote:
>>
>> Comments?
>
> Another tactic is to give up, and return an error code of some sort in
> Tomcat if the URL contains a path parameter (since they are not part of
> the path, are not handled properly, and have no useful usage at the
> moment).
+1 - this is a very reasonable suggestion; or, make it toggleable...
> The latest RFC (3986) gives an interesting example of usage: For
> example, one URI producer might use a segment such as "name;v=1.1" to
> indicate a reference to version 1.1 of "name".
... so the bleeding edge of technology user can do something like this above.
> Personally, I dislike the "optimized" mappings, like *.jsp, that in the
> end make the webapp non portable and full of security holes. I think
> full webapp mappings are preferable (and for static resources that
> "need" to be served by Apache, it still seems possible to me to use
> relative URLs to them - as if they were in a separate webapp).
+++1 - My personal favorite approach is more of a JkMountRequest /target
where this directive is deposited into a <Files > or <Location > block...
the same block that the user is likely to add security related permissions.
It leaves no ambiguity ;-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by Remy Maucherat <re...@apache.org>.
Jean-frederic Clere wrote:
> Returning to my example:
> kMount /*.jsp worker1
> http://localhost/;jsp-examples/jsp2/;simpletag/;hello.jsp
>
> .jsp-examples simpletag and hello.jsp are parameters. (According to the
> 3.3 of the ref).
> So the mapping is
> //jsp2// -> no worker.
> http://localhost/jsp-examples;.titi/jsp2/simpletag;toto/hello.jsp;tutu
> .titi toto and tutu are parameters.
> And the mapping is:
> /jsp-examples/jsp2/simpletag/hello.jsp match worker1
>
> Comments?
Another tactic is to give up, and return an error code of some sort in
Tomcat if the URL contains a path parameter (since they are not part of
the path, are not handled properly, and have no useful usage at the moment).
The latest RFC (3986) gives an interesting example of usage: For
example, one URI producer might use a segment such as "name;v=1.1" to
indicate a reference to version 1.1 of "name".
Personally, I dislike the "optimized" mappings, like *.jsp, that in the
end make the webapp non portable and full of security holes. I think
full webapp mappings are preferable (and for static resources that
"need" to be served by Apache, it still seems possible to me to use
relative URLs to them - as if they were in a separate webapp).
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by Jean-frederic Clere <jf...@gmail.com>.
William A. Rowe, Jr. wrote:
> Remy Maucherat wrote:
>
>> William A. Rowe, Jr. wrote:
>>
>>> Guys, let me clarify, you are only paying attention to ';' following
>>> the
>>> QUERY_STRING delimiter '?', correct?
>>>
>>> ';' means nothing special before the '?', double check your
>>> interpretation
>>> of RFC 2616. I can have /foo.bar;bash?v1=a;v2=b (or ...?v1=a&v2=b)
>>> and that
>>> semi is part of the foo.bar;bash filename. Right?
>>
>>
>> No. We talked about it before. ";" is a reserved character (and since
>> there's no document describing mapping of the thing, I am removing
>> the portion of the URL after it).
>
>
> Dude, there is, it's called RFC2396 and you can read my other note,
> just sent,
> for a lengthy description ;-)
Returning to my example:
kMount /*.jsp worker1
http://localhost/;jsp-examples/jsp2/;simpletag/;hello.jsp
.jsp-examples simpletag and hello.jsp are parameters. (According to the
3.3 of the ref).
So the mapping is
//jsp2// -> no worker.
http://localhost/jsp-examples;.titi/jsp2/simpletag;toto/hello.jsp;tutu
.titi toto and tutu are parameters.
And the mapping is:
/jsp-examples/jsp2/simpletag/hello.jsp match worker1
Comments?
Cheers
Jean-Frederic
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Remy Maucherat wrote:
> William A. Rowe, Jr. wrote:
>> Guys, let me clarify, you are only paying attention to ';' following the
>> QUERY_STRING delimiter '?', correct?
>>
>> ';' means nothing special before the '?', double check your
>> interpretation
>> of RFC 2616. I can have /foo.bar;bash?v1=a;v2=b (or ...?v1=a&v2=b)
>> and that
>> semi is part of the foo.bar;bash filename. Right?
>
> No. We talked about it before. ";" is a reserved character (and since
> there's no document describing mapping of the thing, I am removing the
> portion of the URL after it).
Dude, there is, it's called RFC2396 and you can read my other note, just sent,
for a lengthy description ;-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by Remy Maucherat <re...@apache.org>.
William A. Rowe, Jr. wrote:
> Guys, let me clarify, you are only paying attention to ';' following the
> QUERY_STRING delimiter '?', correct?
>
> ';' means nothing special before the '?', double check your interpretation
> of RFC 2616. I can have /foo.bar;bash?v1=a;v2=b (or ...?v1=a&v2=b) and
> that
> semi is part of the foo.bar;bash filename. Right?
No. We talked about it before. ";" is a reserved character (and since
there's no document describing mapping of the thing, I am removing the
portion of the URL after it).
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Jean-frederic Clere wrote:
> William A. Rowe, Jr. wrote:
>
>> Guys, let me clarify, you are only paying attention to ';' following the
>> QUERY_STRING delimiter '?', correct?
>>
>> ';' means nothing special before the '?', double check your
>> interpretation
>> of RFC 2616. I can have /foo.bar;bash?v1=a;v2=b (or ...?v1=a&v2=b)
>> and that
>> semi is part of the foo.bar;bash filename. Right?
>
> Then what I have just commited is not right...
>
> But in mod_jk the behaviour without the patch is weird.
> Try:
> JkMount /*.jsp worker1
> And url like http://localhost/;jsp-examples/jsp2/;simpletag/;hello.jsp
> without the patches.
That may mean the core tomcat parser doesn't parse according to rfc 2616...
or it's simply an issue that ; should be escaped. See 3.2.3
Characters other than those in the "reserved" and "unsafe" sets (see
RFC 2396 [42]) are equivalent to their ""%" HEX HEX" encoding.
which says
2.2. Reserved Characters
Many URI include components consisting of or delimited by, certain
special characters. These characters are called "reserved", since
their usage within the URI component is limited to their reserved
purpose. If the data for a URI component would conflict with the
reserved purpose, then the conflicting data must be escaped before
forming the URI.
reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
"$" | ","
The "reserved" syntax class above refers to those characters that are
allowed within a URI, but which may not be allowed within a
particular component of the generic URI syntax; they are used as
delimiters of the components described in Section 3.
Now I realize that tomcat gets it's clue on ";" from the same RFC 2396
3.3. Path Component
The path component contains data, specific to the authority (or the
scheme if there is no authority component), identifying the resource
within the scope of that scheme and authority.
path = [ abs_path | opaque_part ]
path_segments = segment *( "/" segment )
segment = *pchar *( ";" param )
param = *pchar
pchar = unreserved | escaped |
":" | "@" | "&" | "=" | "+" | "$" | ","
The path may consist of a sequence of path segments separated by a
single slash "/" character. Within a path segment, the characters
"/", ";", "=", and "?" are reserved. Each path segment may include a
sequence of parameters, indicated by the semicolon ";" character.
The parameters are not significant to the parsing of relative
references.
But I was under the belief that RFC 2616 did NOT adopt this structure
for-per-path segment param values. What we are discussing doesn't inform
tomcat what to do with other abs_path values from other protocols,
only from HTTP.
Now that I reread 2616;
3.2.1 General Syntax
URIs in HTTP can be represented in absolute form or relative to some
known base URI [11], depending upon the context of their use. The two
forms are differentiated by the fact that absolute URIs always begin
with a scheme name followed by a colon. For definitive information on
URL syntax and semantics, see "Uniform Resource Identifiers (URI):
Generic Syntax and Semantics," RFC 2396 [42] (which replaces RFCs
1738 [4] and RFC 1808 [11]). This specification adopts the
definitions of "URI-reference", "absoluteURI", "relativeURI", "port",
"host","abs_path", "rel_path", and "authority" from that
specification.
I see it ***does*** adopt abs_path, and that includes the definition
segment = *pchar *( ";" param )
which means, in short, I believe the scheme parser of httpd is at least
partly flawed :)
http://svn.apache.org/repos/asf/apr/apr-util/trunk/uri/apr_uri.c
Note that the definition of a URI abs_path param informs the resource on
a segment-by-segment basis. This is quite different than the definition
of an http "query" part (not mentioned in 3.2.1 above)
http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
Note especially RFC 2616's section 13.9...
Unless the origin server explicitly prohibits the caching of their
responses, the application of GET and HEAD methods to any resources
SHOULD NOT have side effects that would lead to erroneous behavior if
these responses are taken from a cache. They MAY still have side
effects, but a cache is not required to consider such side effects in
its caching decisions. Caches are always expected to observe an
origin server's explicit restrictions on caching.
We note one exception to this rule: since some applications have
traditionally used GETs and HEADs with query URLs (those containing a
"?" in the rel_path part) to perform operations with significant side
effects, caches MUST NOT treat responses to such URIs as fresh unless
the server provides an explicit expiration time.
If you use segment of *( ";" param ) in your path, ponder a moment; those
parameters to a GET or HEAD requests will be ignored by the proxy in it's
determination of whether to invalidate a stale cache entry. They *are*
treated as unique, but a subsequent call to /deleteme;user=wrowe will *not*
cause the proxy to refetch the action from the origin server. A subsequent
first request to GET /deleteme;user=jean-frederic would, of course, be passed
to the origin server, as that path is different from /deleteme;user=wrowe and
is not in the cache.
I'm suspecting alot of GET/HEAD requests from this parameter model are not
observing RFC2616 and it's cache control logic, unless they are explicitly
responding that the 'action' is not cacheable in the response headers:)
So please make sure you've thought this through and that tomcat is doing
precisely as RFC2616 declared, and take note that my original objection does
not precisely play out the way I stated it.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by Jean-frederic Clere <jf...@gmail.com>.
William A. Rowe, Jr. wrote:
> Guys, let me clarify, you are only paying attention to ';' following the
> QUERY_STRING delimiter '?', correct?
>
> ';' means nothing special before the '?', double check your
> interpretation
> of RFC 2616. I can have /foo.bar;bash?v1=a;v2=b (or ...?v1=a&v2=b)
> and that
> semi is part of the foo.bar;bash filename. Right?
Then what I have just commited is not right...
But in mod_jk the behaviour without the patch is weird.
Try:
JkMount /*.jsp worker1
And url like http://localhost/;jsp-examples/jsp2/;simpletag/;hello.jsp
without the patches.
Cheers
Jean-Frederic
>
> Bill
>
>
> Jean-frederic Clere wrote:
>
>> I will also add the ";" path parameter stripping to mod_jk.
>>
>> Cheers
>>
>> Jean-Frederic
>>
>> remm@apache.org wrote:
>>
>>> Author: remm
>>> Date: Thu Jul 20 09:01:41 2006
>>> New Revision: 423967
>>>
>>> URL: http://svn.apache.org/viewvc?rev=423967&view=rev
>>> Log:
>>> - Changes to session id parsing so that it is done (as well as ";"
>>> path parameter stripping) before
>>> decoding, making it possible to %xx encode ";" in the URL.
>>> - This can probably be backported to 5.5.x.
>>>
>>> Modified:
>>>
>>> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>>>
>>>
>>> Modified:
>>> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=423967&r1=423966&r2=423967&view=diff
>>>
>>> ==============================================================================
>>>
>>> ---
>>> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>>> (original)
>>> +++
>>> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>>> Thu Jul 20 09:01:41 2006
>>> @@ -293,11 +293,21 @@
>>> req.serverName().setString(proxyName);
>>> }
>>>
>>> + // Parse session Id
>>> + parseSessionId(req, request);
>>> +
>>> // URI decoding
>>> MessageBytes decodedURI = req.decodedURI();
>>> decodedURI.duplicate(req.requestURI());
>>>
>>> if (decodedURI.getType() == MessageBytes.T_BYTES) {
>>> + // Remove any path parameters
>>> + ByteChunk uriBB = decodedURI.getByteChunk();
>>> + int semicolon = uriBB.indexOf(';', 0);
>>> + if (semicolon > 0) {
>>> + decodedURI.setBytes
>>> + (uriBB.getBuffer(), uriBB.getStart(), semicolon);
>>> + }
>>> // %xx decoding of the URL
>>> try {
>>> req.getURLDecoder().convert(decodedURI, false);
>>> @@ -319,6 +329,13 @@
>>> // protocol handler, we have to assume the URL has been
>>> properly
>>> // decoded already
>>> decodedURI.toChars();
>>> + // Remove any path parameters
>>> + CharChunk uriCC = decodedURI.getCharChunk();
>>> + int semicolon = uriCC.indexOf(';');
>>> + if (semicolon > 0) {
>>> + decodedURI.setChars
>>> + (uriCC.getBuffer(), uriCC.getStart(), semicolon);
>>> + }
>>> }
>>>
>>> // Set the remote principal
>>> @@ -333,19 +350,6 @@
>>> request.setAuthType(authtype);
>>> }
>>>
>>> - // Parse session Id
>>> - parseSessionId(req, request);
>>> -
>>> - // Remove any remaining parameters (other than session id,
>>> which has
>>> - // already been removed in parseSessionId()) from the URI,
>>> so they
>>> - // won't be considered by the mapping algorithm.
>>> - CharChunk uriCC = decodedURI.getCharChunk();
>>> - int semicolon = uriCC.indexOf(';');
>>> - if (semicolon > 0) {
>>> - decodedURI.setChars
>>> - (uriCC.getBuffer(), uriCC.getStart(), semicolon);
>>> - }
>>> -
>>> // Request mapping.
>>> MessageBytes serverName;
>>> if (connector.getUseIPVHosts()) {
>>> @@ -420,49 +424,35 @@
>>> */
>>> protected void parseSessionId(org.apache.coyote.Request req,
>>> Request request) {
>>>
>>> - CharChunk uriCC = req.decodedURI().getCharChunk();
>>> - int semicolon = uriCC.indexOf(match, 0, match.length(), 0);
>>> + ByteChunk uriBC = req.requestURI().getByteChunk();
>>> + int semicolon = uriBC.indexOf(match, 0, match.length(), 0);
>>>
>>> if (semicolon > 0) {
>>>
>>> // Parse session ID, and extract it from the decoded
>>> request URI
>>> - int start = uriCC.getStart();
>>> - int end = uriCC.getEnd();
>>> + int start = uriBC.getStart();
>>> + int end = uriBC.getEnd();
>>>
>>> - int sessionIdStart = start + semicolon + match.length();
>>> - int semicolon2 = uriCC.indexOf(';', sessionIdStart);
>>> + int sessionIdStart = semicolon + match.length();
>>> + int semicolon2 = uriBC.indexOf(';', sessionIdStart);
>>> if (semicolon2 >= 0) {
>>> request.setRequestedSessionId
>>> - (new String(uriCC.getBuffer(), sessionIdStart,
>>> - semicolon2 - semicolon -
>>> match.length()));
>>> + (new String(uriBC.getBuffer(), start +
>>> sessionIdStart, + semicolon2 -
>>> sessionIdStart));
>>> + // Extract session ID from request URI
>>> + byte[] buf = uriBC.getBuffer();
>>> + for (int i = 0; i < end - start - semicolon2; i++) {
>>> + buf[start + semicolon + i]
>>> + = buf[start + i + semicolon2];
>>> + }
>>> + uriBC.setBytes(buf, start, end - start - semicolon2
>>> + semicolon);
>>> } else {
>>> request.setRequestedSessionId
>>> - (new String(uriCC.getBuffer(), sessionIdStart,
>>> - end - sessionIdStart));
>>> - }
>>> - request.setRequestedSessionURL(true);
>>> -
>>> - // Extract session ID from request URI
>>> - ByteChunk uriBC = req.requestURI().getByteChunk();
>>> - start = uriBC.getStart();
>>> - end = uriBC.getEnd();
>>> - semicolon = uriBC.indexOf(match, 0, match.length(), 0);
>>> -
>>> - if (semicolon > 0) {
>>> - sessionIdStart = start + semicolon;
>>> - semicolon2 = uriCC.indexOf
>>> - (';', start + semicolon + match.length());
>>> + (new String(uriBC.getBuffer(), start +
>>> sessionIdStart, + (end - start) -
>>> sessionIdStart));
>>> uriBC.setEnd(start + semicolon);
>>> - byte[] buf = uriBC.getBuffer();
>>> - if (semicolon2 >= 0) {
>>> - for (int i = 0; i < end - start - semicolon2;
>>> i++) {
>>> - buf[start + semicolon + i]
>>> - = buf[start + i + semicolon2];
>>> - }
>>> - uriBC.setBytes(buf, start, semicolon
>>> - + (end - start - semicolon2));
>>> - }
>>> }
>>> + request.setRequestedSessionURL(true);
>>>
>>> } else {
>>> request.setRequestedSessionId(null);
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Guys, let me clarify, you are only paying attention to ';' following the
QUERY_STRING delimiter '?', correct?
';' means nothing special before the '?', double check your interpretation
of RFC 2616. I can have /foo.bar;bash?v1=a;v2=b (or ...?v1=a&v2=b) and that
semi is part of the foo.bar;bash filename. Right?
Bill
Jean-frederic Clere wrote:
> I will also add the ";" path parameter stripping to mod_jk.
>
> Cheers
>
> Jean-Frederic
>
> remm@apache.org wrote:
>
>> Author: remm
>> Date: Thu Jul 20 09:01:41 2006
>> New Revision: 423967
>>
>> URL: http://svn.apache.org/viewvc?rev=423967&view=rev
>> Log:
>> - Changes to session id parsing so that it is done (as well as ";"
>> path parameter stripping) before
>> decoding, making it possible to %xx encode ";" in the URL.
>> - This can probably be backported to 5.5.x.
>>
>> Modified:
>>
>> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>>
>>
>> Modified:
>> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>>
>> URL:
>> http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=423967&r1=423966&r2=423967&view=diff
>>
>> ==============================================================================
>>
>> ---
>> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>> (original)
>> +++
>> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>> Thu Jul 20 09:01:41 2006
>> @@ -293,11 +293,21 @@
>> req.serverName().setString(proxyName);
>> }
>>
>> + // Parse session Id
>> + parseSessionId(req, request);
>> +
>> // URI decoding
>> MessageBytes decodedURI = req.decodedURI();
>> decodedURI.duplicate(req.requestURI());
>>
>> if (decodedURI.getType() == MessageBytes.T_BYTES) {
>> + // Remove any path parameters
>> + ByteChunk uriBB = decodedURI.getByteChunk();
>> + int semicolon = uriBB.indexOf(';', 0);
>> + if (semicolon > 0) {
>> + decodedURI.setBytes
>> + (uriBB.getBuffer(), uriBB.getStart(), semicolon);
>> + }
>> // %xx decoding of the URL
>> try {
>> req.getURLDecoder().convert(decodedURI, false);
>> @@ -319,6 +329,13 @@
>> // protocol handler, we have to assume the URL has been
>> properly
>> // decoded already
>> decodedURI.toChars();
>> + // Remove any path parameters
>> + CharChunk uriCC = decodedURI.getCharChunk();
>> + int semicolon = uriCC.indexOf(';');
>> + if (semicolon > 0) {
>> + decodedURI.setChars
>> + (uriCC.getBuffer(), uriCC.getStart(), semicolon);
>> + }
>> }
>>
>> // Set the remote principal
>> @@ -333,19 +350,6 @@
>> request.setAuthType(authtype);
>> }
>>
>> - // Parse session Id
>> - parseSessionId(req, request);
>> -
>> - // Remove any remaining parameters (other than session id,
>> which has
>> - // already been removed in parseSessionId()) from the URI, so
>> they
>> - // won't be considered by the mapping algorithm.
>> - CharChunk uriCC = decodedURI.getCharChunk();
>> - int semicolon = uriCC.indexOf(';');
>> - if (semicolon > 0) {
>> - decodedURI.setChars
>> - (uriCC.getBuffer(), uriCC.getStart(), semicolon);
>> - }
>> -
>> // Request mapping.
>> MessageBytes serverName;
>> if (connector.getUseIPVHosts()) {
>> @@ -420,49 +424,35 @@
>> */
>> protected void parseSessionId(org.apache.coyote.Request req,
>> Request request) {
>>
>> - CharChunk uriCC = req.decodedURI().getCharChunk();
>> - int semicolon = uriCC.indexOf(match, 0, match.length(), 0);
>> + ByteChunk uriBC = req.requestURI().getByteChunk();
>> + int semicolon = uriBC.indexOf(match, 0, match.length(), 0);
>>
>> if (semicolon > 0) {
>>
>> // Parse session ID, and extract it from the decoded
>> request URI
>> - int start = uriCC.getStart();
>> - int end = uriCC.getEnd();
>> + int start = uriBC.getStart();
>> + int end = uriBC.getEnd();
>>
>> - int sessionIdStart = start + semicolon + match.length();
>> - int semicolon2 = uriCC.indexOf(';', sessionIdStart);
>> + int sessionIdStart = semicolon + match.length();
>> + int semicolon2 = uriBC.indexOf(';', sessionIdStart);
>> if (semicolon2 >= 0) {
>> request.setRequestedSessionId
>> - (new String(uriCC.getBuffer(), sessionIdStart,
>> - semicolon2 - semicolon -
>> match.length()));
>> + (new String(uriBC.getBuffer(), start +
>> sessionIdStart, + semicolon2 -
>> sessionIdStart));
>> + // Extract session ID from request URI
>> + byte[] buf = uriBC.getBuffer();
>> + for (int i = 0; i < end - start - semicolon2; i++) {
>> + buf[start + semicolon + i]
>> + = buf[start + i + semicolon2];
>> + }
>> + uriBC.setBytes(buf, start, end - start - semicolon2 +
>> semicolon);
>> } else {
>> request.setRequestedSessionId
>> - (new String(uriCC.getBuffer(), sessionIdStart,
>> - end - sessionIdStart));
>> - }
>> - request.setRequestedSessionURL(true);
>> -
>> - // Extract session ID from request URI
>> - ByteChunk uriBC = req.requestURI().getByteChunk();
>> - start = uriBC.getStart();
>> - end = uriBC.getEnd();
>> - semicolon = uriBC.indexOf(match, 0, match.length(), 0);
>> -
>> - if (semicolon > 0) {
>> - sessionIdStart = start + semicolon;
>> - semicolon2 = uriCC.indexOf
>> - (';', start + semicolon + match.length());
>> + (new String(uriBC.getBuffer(), start +
>> sessionIdStart, + (end - start) -
>> sessionIdStart));
>> uriBC.setEnd(start + semicolon);
>> - byte[] buf = uriBC.getBuffer();
>> - if (semicolon2 >= 0) {
>> - for (int i = 0; i < end - start - semicolon2; i++) {
>> - buf[start + semicolon + i]
>> - = buf[start + i + semicolon2];
>> - }
>> - uriBC.setBytes(buf, start, semicolon
>> - + (end - start - semicolon2));
>> - }
>> }
>> + request.setRequestedSessionURL(true);
>>
>> } else {
>> request.setRequestedSessionId(null);
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by Jean-frederic Clere <jf...@gmail.com>.
I will also add the ";" path parameter stripping to mod_jk.
Cheers
Jean-Frederic
remm@apache.org wrote:
>Author: remm
>Date: Thu Jul 20 09:01:41 2006
>New Revision: 423967
>
>URL: http://svn.apache.org/viewvc?rev=423967&view=rev
>Log:
>- Changes to session id parsing so that it is done (as well as ";" path parameter stripping) before
> decoding, making it possible to %xx encode ";" in the URL.
>- This can probably be backported to 5.5.x.
>
>Modified:
> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>
>Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
>URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=423967&r1=423966&r2=423967&view=diff
>==============================================================================
>--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java (original)
>+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java Thu Jul 20 09:01:41 2006
>@@ -293,11 +293,21 @@
> req.serverName().setString(proxyName);
> }
>
>+ // Parse session Id
>+ parseSessionId(req, request);
>+
> // URI decoding
> MessageBytes decodedURI = req.decodedURI();
> decodedURI.duplicate(req.requestURI());
>
> if (decodedURI.getType() == MessageBytes.T_BYTES) {
>+ // Remove any path parameters
>+ ByteChunk uriBB = decodedURI.getByteChunk();
>+ int semicolon = uriBB.indexOf(';', 0);
>+ if (semicolon > 0) {
>+ decodedURI.setBytes
>+ (uriBB.getBuffer(), uriBB.getStart(), semicolon);
>+ }
> // %xx decoding of the URL
> try {
> req.getURLDecoder().convert(decodedURI, false);
>@@ -319,6 +329,13 @@
> // protocol handler, we have to assume the URL has been properly
> // decoded already
> decodedURI.toChars();
>+ // Remove any path parameters
>+ CharChunk uriCC = decodedURI.getCharChunk();
>+ int semicolon = uriCC.indexOf(';');
>+ if (semicolon > 0) {
>+ decodedURI.setChars
>+ (uriCC.getBuffer(), uriCC.getStart(), semicolon);
>+ }
> }
>
> // Set the remote principal
>@@ -333,19 +350,6 @@
> request.setAuthType(authtype);
> }
>
>- // Parse session Id
>- parseSessionId(req, request);
>-
>- // Remove any remaining parameters (other than session id, which has
>- // already been removed in parseSessionId()) from the URI, so they
>- // won't be considered by the mapping algorithm.
>- CharChunk uriCC = decodedURI.getCharChunk();
>- int semicolon = uriCC.indexOf(';');
>- if (semicolon > 0) {
>- decodedURI.setChars
>- (uriCC.getBuffer(), uriCC.getStart(), semicolon);
>- }
>-
> // Request mapping.
> MessageBytes serverName;
> if (connector.getUseIPVHosts()) {
>@@ -420,49 +424,35 @@
> */
> protected void parseSessionId(org.apache.coyote.Request req, Request request) {
>
>- CharChunk uriCC = req.decodedURI().getCharChunk();
>- int semicolon = uriCC.indexOf(match, 0, match.length(), 0);
>+ ByteChunk uriBC = req.requestURI().getByteChunk();
>+ int semicolon = uriBC.indexOf(match, 0, match.length(), 0);
>
> if (semicolon > 0) {
>
> // Parse session ID, and extract it from the decoded request URI
>- int start = uriCC.getStart();
>- int end = uriCC.getEnd();
>+ int start = uriBC.getStart();
>+ int end = uriBC.getEnd();
>
>- int sessionIdStart = start + semicolon + match.length();
>- int semicolon2 = uriCC.indexOf(';', sessionIdStart);
>+ int sessionIdStart = semicolon + match.length();
>+ int semicolon2 = uriBC.indexOf(';', sessionIdStart);
> if (semicolon2 >= 0) {
> request.setRequestedSessionId
>- (new String(uriCC.getBuffer(), sessionIdStart,
>- semicolon2 - semicolon - match.length()));
>+ (new String(uriBC.getBuffer(), start + sessionIdStart,
>+ semicolon2 - sessionIdStart));
>+ // Extract session ID from request URI
>+ byte[] buf = uriBC.getBuffer();
>+ for (int i = 0; i < end - start - semicolon2; i++) {
>+ buf[start + semicolon + i]
>+ = buf[start + i + semicolon2];
>+ }
>+ uriBC.setBytes(buf, start, end - start - semicolon2 + semicolon);
> } else {
> request.setRequestedSessionId
>- (new String(uriCC.getBuffer(), sessionIdStart,
>- end - sessionIdStart));
>- }
>- request.setRequestedSessionURL(true);
>-
>- // Extract session ID from request URI
>- ByteChunk uriBC = req.requestURI().getByteChunk();
>- start = uriBC.getStart();
>- end = uriBC.getEnd();
>- semicolon = uriBC.indexOf(match, 0, match.length(), 0);
>-
>- if (semicolon > 0) {
>- sessionIdStart = start + semicolon;
>- semicolon2 = uriCC.indexOf
>- (';', start + semicolon + match.length());
>+ (new String(uriBC.getBuffer(), start + sessionIdStart,
>+ (end - start) - sessionIdStart));
> uriBC.setEnd(start + semicolon);
>- byte[] buf = uriBC.getBuffer();
>- if (semicolon2 >= 0) {
>- for (int i = 0; i < end - start - semicolon2; i++) {
>- buf[start + semicolon + i]
>- = buf[start + i + semicolon2];
>- }
>- uriBC.setBytes(buf, start, semicolon
>- + (end - start - semicolon2));
>- }
> }
>+ request.setRequestedSessionURL(true);
>
> } else {
> request.setRequestedSessionId(null);
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r423967 - /tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Posted by Peter Rossbach <pr...@objektpark.de>.
Hi Remy,
can you do that backport , please :-)
Peter.
Am 20.07.2006 um 18:01 schrieb remm@apache.org:
> Author: remm
> Date: Thu Jul 20 09:01:41 2006
> New Revision: 423967
>
> URL: http://svn.apache.org/viewvc?rev=423967&view=rev
> Log:
> - Changes to session id parsing so that it is done (as well as ";"
> path parameter stripping) before
> decoding, making it possible to %xx encode ";" in the URL.
> - This can probably be backported to 5.5.x.
>
> Modified:
> tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/
> CoyoteAdapter.java
>
> Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/
> CoyoteAdapter.java
> URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/
> apache/catalina/connector/CoyoteAdapter.java?
> rev=423967&r1=423966&r2=423967&view=diff
> ======================================================================
> ========
> --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/
> CoyoteAdapter.java (original)
> +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/
> CoyoteAdapter.java Thu Jul 20 09:01:41 2006
> @@ -293,11 +293,21 @@
> req.serverName().setString(proxyName);
> }
>
> + // Parse session Id
> + parseSessionId(req, request);
> +
> // URI decoding
> MessageBytes decodedURI = req.decodedURI();
> decodedURI.duplicate(req.requestURI());
>
> if (decodedURI.getType() == MessageBytes.T_BYTES) {
> + // Remove any path parameters
> + ByteChunk uriBB = decodedURI.getByteChunk();
> + int semicolon = uriBB.indexOf(';', 0);
> + if (semicolon > 0) {
> + decodedURI.setBytes
> + (uriBB.getBuffer(), uriBB.getStart(), semicolon);
> + }
> // %xx decoding of the URL
> try {
> req.getURLDecoder().convert(decodedURI, false);
> @@ -319,6 +329,13 @@
> // protocol handler, we have to assume the URL has
> been properly
> // decoded already
> decodedURI.toChars();
> + // Remove any path parameters
> + CharChunk uriCC = decodedURI.getCharChunk();
> + int semicolon = uriCC.indexOf(';');
> + if (semicolon > 0) {
> + decodedURI.setChars
> + (uriCC.getBuffer(), uriCC.getStart(), semicolon);
> + }
> }
>
> // Set the remote principal
> @@ -333,19 +350,6 @@
> request.setAuthType(authtype);
> }
>
> - // Parse session Id
> - parseSessionId(req, request);
> -
> - // Remove any remaining parameters (other than session id,
> which has
> - // already been removed in parseSessionId()) from the URI,
> so they
> - // won't be considered by the mapping algorithm.
> - CharChunk uriCC = decodedURI.getCharChunk();
> - int semicolon = uriCC.indexOf(';');
> - if (semicolon > 0) {
> - decodedURI.setChars
> - (uriCC.getBuffer(), uriCC.getStart(), semicolon);
> - }
> -
> // Request mapping.
> MessageBytes serverName;
> if (connector.getUseIPVHosts()) {
> @@ -420,49 +424,35 @@
> */
> protected void parseSessionId(org.apache.coyote.Request req,
> Request request) {
>
> - CharChunk uriCC = req.decodedURI().getCharChunk();
> - int semicolon = uriCC.indexOf(match, 0, match.length(), 0);
> + ByteChunk uriBC = req.requestURI().getByteChunk();
> + int semicolon = uriBC.indexOf(match, 0, match.length(), 0);
>
> if (semicolon > 0) {
>
> // Parse session ID, and extract it from the decoded
> request URI
> - int start = uriCC.getStart();
> - int end = uriCC.getEnd();
> + int start = uriBC.getStart();
> + int end = uriBC.getEnd();
>
> - int sessionIdStart = start + semicolon + match.length();
> - int semicolon2 = uriCC.indexOf(';', sessionIdStart);
> + int sessionIdStart = semicolon + match.length();
> + int semicolon2 = uriBC.indexOf(';', sessionIdStart);
> if (semicolon2 >= 0) {
> request.setRequestedSessionId
> - (new String(uriCC.getBuffer(), sessionIdStart,
> - semicolon2 - semicolon -
> match.length()));
> + (new String(uriBC.getBuffer(), start +
> sessionIdStart,
> + semicolon2 - sessionIdStart));
> + // Extract session ID from request URI
> + byte[] buf = uriBC.getBuffer();
> + for (int i = 0; i < end - start - semicolon2; i++) {
> + buf[start + semicolon + i]
> + = buf[start + i + semicolon2];
> + }
> + uriBC.setBytes(buf, start, end - start -
> semicolon2 + semicolon);
> } else {
> request.setRequestedSessionId
> - (new String(uriCC.getBuffer(), sessionIdStart,
> - end - sessionIdStart));
> - }
> - request.setRequestedSessionURL(true);
> -
> - // Extract session ID from request URI
> - ByteChunk uriBC = req.requestURI().getByteChunk();
> - start = uriBC.getStart();
> - end = uriBC.getEnd();
> - semicolon = uriBC.indexOf(match, 0, match.length(), 0);
> -
> - if (semicolon > 0) {
> - sessionIdStart = start + semicolon;
> - semicolon2 = uriCC.indexOf
> - (';', start + semicolon + match.length());
> + (new String(uriBC.getBuffer(), start +
> sessionIdStart,
> + (end - start) - sessionIdStart));
> uriBC.setEnd(start + semicolon);
> - byte[] buf = uriBC.getBuffer();
> - if (semicolon2 >= 0) {
> - for (int i = 0; i < end - start - semicolon2; i
> ++) {
> - buf[start + semicolon + i]
> - = buf[start + i + semicolon2];
> - }
> - uriBC.setBytes(buf, start, semicolon
> - + (end - start - semicolon2));
> - }
> }
> + request.setRequestedSessionURL(true);
>
> } else {
> request.setRequestedSessionId(null);
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>