You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/10/14 09:59:39 UTC

[tomcat] branch main updated: Ensure request URIs start with /

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new d33cce6  Ensure request URIs start with /
d33cce6 is described below

commit d33cce6c196efed8e35518711ba27af0a8c93d09
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Oct 13 18:33:55 2021 +0100

    Ensure request URIs start with /
---
 java/org/apache/catalina/connector/CoyoteAdapter.java | 5 ++++-
 webapps/docs/changelog.xml                            | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java b/java/org/apache/catalina/connector/CoyoteAdapter.java
index ccfb4d1..f1db80f 100644
--- a/java/org/apache/catalina/connector/CoyoteAdapter.java
+++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
@@ -911,7 +911,10 @@ public class CoyoteAdapter implements Adapter {
         req.decodedURI().toBytes();
 
         ByteChunk uriBC = req.decodedURI().getByteChunk();
-        int semicolon = uriBC.indexOf(';', 0);
+        // The first character must always be '/' so start search at position 1.
+        // If the first character is ';' the URI will be rejected at the
+        // normalization stage
+        int semicolon = uriBC.indexOf(';', 1);
         // Performance optimisation. Return as soon as it is known there are no
         // path parameters;
         if (semicolon == -1) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0f82931..abdcfdf 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -130,6 +130,9 @@
         Invalid byte sequences (typically in %nn form) in a request URi that are
         not valid for the given URI encoding now trigger a 400 response. (markt)
       </fix>
+      <fix>
+        Ensure that a requets URI must start with a <code>/</code>. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [tomcat] branch main updated: Ensure request URIs start with /

Posted by Konstantin Kolinko <kn...@gmail.com>.

чт, 14 окт. 2021 г. в 13:37, Mark Thomas <ma...@apache.org>:
>
> On 14/10/2021 11:32, Konstantin Kolinko wrote:
> > чт, 14 окт. 2021 г. в 13:01, Mark Thomas <ma...@apache.org>:
> >>
> >> On 14/10/2021 10:59, markt@apache.org wrote:
> >>> This is an automated email from the ASF dual-hosted git repository.
> >>>
> >>> markt pushed a commit to branch main
> >>> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >>>
> >>>
> >>> The following commit(s) were added to refs/heads/main by this push:
> >>>        new d33cce6  Ensure request URIs start with /
> >>> d33cce6 is described below
> >>>
> >>> commit d33cce6c196efed8e35518711ba27af0a8c93d09
> >>> Author: Mark Thomas <ma...@apache.org>
> >>> AuthorDate: Wed Oct 13 18:33:55 2021 +0100
> >>>
> >>>       Ensure request URIs start with /
> >>
> >> This is the third and final additional default check for consideration
> >> to back-port.
> >>
> >> Servlet 6 also introduces the concept of "suspicious URIs" - sequences
> >> like "/..;a=b/" and I'll be addressing those as an optional check in a
> >> separate commit.
> >
> > How about an "OPTIONS * HTTP/1.1" request?
> >
> > https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
> > https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.7
> >
> > Does Tomcat respond to it by itself, without passing the request to servlets?
>
> That gets handled before the "starts with '/' check". Tomcat provides
> the response.
>
> https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/connector/CoyoteAdapter.java#L613

OK.
Though note that line 627 is not followed by a "return" and will fall
through to further processing.
As such, the method parsePathParameters() changed by this commit may
be called with an URL of "*".

I see comments on lines 695-696: "Note we still want the mapper to
find the correct host."


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [tomcat] branch main updated: Ensure request URIs start with /

Posted by Mark Thomas <ma...@apache.org>.

On 14/10/2021 11:32, Konstantin Kolinko wrote:
> чт, 14 окт. 2021 г. в 13:01, Mark Thomas <ma...@apache.org>:
>>
>> On 14/10/2021 10:59, markt@apache.org wrote:
>>> This is an automated email from the ASF dual-hosted git repository.
>>>
>>> markt pushed a commit to branch main
>>> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>>>
>>>
>>> The following commit(s) were added to refs/heads/main by this push:
>>>        new d33cce6  Ensure request URIs start with /
>>> d33cce6 is described below
>>>
>>> commit d33cce6c196efed8e35518711ba27af0a8c93d09
>>> Author: Mark Thomas <ma...@apache.org>
>>> AuthorDate: Wed Oct 13 18:33:55 2021 +0100
>>>
>>>       Ensure request URIs start with /
>>
>> This is the third and final additional default check for consideration
>> to back-port.
>>
>> Servlet 6 also introduces the concept of "suspicious URIs" - sequences
>> like "/..;a=b/" and I'll be addressing those as an optional check in a
>> separate commit.
> 
> How about an "OPTIONS * HTTP/1.1" request?
> 
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
> https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.7
> 
> Does Tomcat respond to it by itself, without passing the request to servlets?

That gets handled before the "starts with '/' check". Tomcat provides 
the response.

https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/connector/CoyoteAdapter.java#L613

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [tomcat] branch main updated: Ensure request URIs start with /

Posted by Konstantin Kolinko <kn...@gmail.com>.

чт, 14 окт. 2021 г. в 13:01, Mark Thomas <ma...@apache.org>:
>
> On 14/10/2021 10:59, markt@apache.org wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > markt pushed a commit to branch main
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> >
> > The following commit(s) were added to refs/heads/main by this push:
> >       new d33cce6  Ensure request URIs start with /
> > d33cce6 is described below
> >
> > commit d33cce6c196efed8e35518711ba27af0a8c93d09
> > Author: Mark Thomas <ma...@apache.org>
> > AuthorDate: Wed Oct 13 18:33:55 2021 +0100
> >
> >      Ensure request URIs start with /
>
> This is the third and final additional default check for consideration
> to back-port.
>
> Servlet 6 also introduces the concept of "suspicious URIs" - sequences
> like "/..;a=b/" and I'll be addressing those as an optional check in a
> separate commit.

How about an "OPTIONS * HTTP/1.1" request?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.7

Does Tomcat respond to it by itself, without passing the request to servlets?

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [tomcat] branch main updated: Ensure request URIs start with /

Posted by Mark Thomas <ma...@apache.org>.

On 14/10/2021 10:59, markt@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
> 
> markt pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> 
> 
> The following commit(s) were added to refs/heads/main by this push:
>       new d33cce6  Ensure request URIs start with /
> d33cce6 is described below
> 
> commit d33cce6c196efed8e35518711ba27af0a8c93d09
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Wed Oct 13 18:33:55 2021 +0100
> 
>      Ensure request URIs start with /

This is the third and final additional default check for consideration 
to back-port.

Servlet 6 also introduces the concept of "suspicious URIs" - sequences 
like "/..;a=b/" and I'll be addressing those as an optional check in a 
separate commit.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org