You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2001/10/05 20:12:33 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util RequestUtil.java
marcsaeg 01/10/05 11:12:33
Modified: src/share/org/apache/tomcat/core Tag: tomcat_32
ContextManager.java
src/share/org/apache/tomcat/util Tag: tomcat_32
RequestUtil.java
Log:
This change addresses a side effect of a change done in Tomcat 3.2.3 to
close a security hole. In Tomcat 3.2.3 we disallowed any URI that
contained encoded special characters like %, /, ., \. While this did help
close the security hole, it caused other problems. First, it violates the
URL specification (see RFC1630 and RFC1738) and second it prevents some
useful URLs from working.
To address this I've modified the behavior of RequestUtil.URLDecode(). It
used to check for some encoded special characters and if it found them it
would throw and InvalidArgumentException. I've added checks for the rest
of the special characters. Also, instead of throwing an exception the
encoded character is left in the resulting string.
Thus a URI like /fu%2fba%72 will decode to /fu%2fbar. Leaving the encoded
characters in the result will preclude them from matching against prefixes
or security constraints but the data will be available to servlets and JSP
pages that want the information, but they will have to decode these
strings on their own.
There is still an issue regarding the value returned by getPathInfo().
The specification states (in the 4/27/2000 errata) that getPathInfo()
should return a decoded value. The value currently returned by
getPathInfo() does not decode any of the special characters listed above.
It is not clear to me now if we should take the extra step of completely
decoding the path info or not, so for now I'm leaving it alone.
Revision Changes Path
No revision
No revision
1.100.2.27 +2 -8 jakarta-tomcat/src/share/org/apache/tomcat/core/ContextManager.java
Index: ContextManager.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/ContextManager.java,v
retrieving revision 1.100.2.26
retrieving revision 1.100.2.27
diff -u -r1.100.2.26 -r1.100.2.27
--- ContextManager.java 2001/07/17 04:25:54 1.100.2.26
+++ ContextManager.java 2001/10/05 18:12:33 1.100.2.27
@@ -742,18 +742,12 @@
public void service( Request req, Response res ) {
/**
- * XXX Normalize and validate the request URI. This is important
+ * XXX Normalize the request URI. This is important
* to prevent non-normalized URIs from causing security constraints
* from being bypassed. For example, /examples/jsp/../jsp/security/protected/index.jsp
- * would not trigger the AccessInterceptor. Also, encoded special chars
- * ., /, \ and % are forbidden in URIs to prevent additional security problems.
+ * would not trigger the AccessInterceptor.
*/
req.setRequestURI(URLUtil.normalizeURI(req.getRequestURI()));
- String ucURI = req.getRequestURI().toUpperCase();
- if(ucURI.indexOf("%25") >= 0 || ucURI.indexOf("%2E") >= 0 ||
- ucURI.indexOf("%2F") >= 0 || ucURI.indexOf("%5C") >=0){
- res.setStatus(404);
- }
internalService( req, res );
// clean up
No revision
No revision
1.14.2.7 +4 -4 jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/RequestUtil.java
Index: RequestUtil.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/RequestUtil.java,v
retrieving revision 1.14.2.6
retrieving revision 1.14.2.7
diff -u -r1.14.2.6 -r1.14.2.7
--- RequestUtil.java 2001/08/12 23:26:57 1.14.2.6
+++ RequestUtil.java 2001/10/05 18:12:33 1.14.2.7
@@ -326,10 +326,10 @@
continue;
} else if (metaChar == '%') {
char c = (char) Integer.parseInt(str.substring(strPos + 1, strPos + 3), 16);
- if(c == '/' || c == '\0')
- throw new IllegalArgumentException("URL contains encoded special chars.");
-
- dec.append(c);
+ if(c == '/' || c == '%' || c=='.' || c == '\\' || c == '\0')
+ dec.append(str.substring(strPos, strPos+3));
+ else
+ dec.append(c);
strPos += 3;
}
}