larryi 01/02/15 20:03:13
Modified: src/share/org/apache/tomcat/request Tag: tomcat_32
AccessInterceptor.java
Log:
According to the spec, a servlet mapped to the url-pattern "/abc/*" should
be invoked if the URL "/abc" is used. The prior fix allows "/abc" to fail
to match "/abc/*" when used for a security-constraint allowing it to escape
authorization.
Porting the Tomcat 3.3 version of the fix that avoids this problem.
Revision Changes Path
No revision
No revision
1.12.2.6 +3 -1
jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/AccessInterceptor.java
Index: AccessInterceptor.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/AccessInterceptor.java,v
retrieving revision 1.12.2.5
retrieving revision 1.12.2.6
diff -u -r1.12.2.5 -r1.12.2.6
--- AccessInterceptor.java 2001/02/14 03:48:09 1.12.2.5
+++ AccessInterceptor.java 2001/02/16 04:03:13 1.12.2.6
@@ -321,7 +321,9 @@
switch( ct.getMapType() ) {
case Container.PREFIX_MAP:
- return path.startsWith( ctPath.substring(0, ctPathL - 1 ));
+ if( path.length() < ctPathL - 2 )
+ return false;
+ return path.startsWith( ctPath.substring(0, ctPathL - 2 ));
case Container.EXTENSION_MAP:
return ctPath.substring( 1 ).equals( URLUtil.getExtension( path ));
case Container.PATH_MAP:
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
