costin 01/07/15 16:09:31
Modified: src/etc Tag: tomcat_32 server.xml
src/share/org/apache/tomcat/request Tag: tomcat_32
AccessInterceptor.java
Log:
Remove the xml:debug ( it creates problems when xerces is used )
Added extra check for "//" in URLs. A better fix will be made in 3.3
Revision Changes Path
No revision
No revision
1.29.2.11 +3 -2 jakarta-tomcat/src/etc/server.xml
Index: server.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/etc/server.xml,v
retrieving revision 1.29.2.10
retrieving revision 1.29.2.11
diff -u -r1.29.2.10 -r1.29.2.11
--- server.xml 2000/11/18 02:01:01 1.29.2.10
+++ server.xml 2001/07/15 23:09:31 1.29.2.11
@@ -1,9 +1,10 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<Server>
- <!-- Debug low-level events in XmlMapper startup -->
+ <!-- Debug low-level events in XmlMapper startup
<xmlmapper:debug level="0" />
-
+ -->
+
<!--
Logging:
No revision
No revision
1.12.2.8 +5 -0
jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/AccessInterceptor.java
Index: AccessInterceptor.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/Attic/AccessInterceptor.java,v
retrieving revision 1.12.2.7
retrieving revision 1.12.2.8
diff -u -r1.12.2.7 -r1.12.2.8
--- AccessInterceptor.java 2001/02/16 19:34:11 1.12.2.7
+++ AccessInterceptor.java 2001/07/15 23:09:31 1.12.2.8
@@ -252,6 +252,11 @@
if( ctxSec.patterns==0 ) return 0; // fast exit
String reqURI = req.getRequestURI();
+ // Servlet spec would allow it to pass. A better fix is to "normalize"
+ // the URL
+ if( reqURI.indexOf( "//" ) >= 0 )
+ return 403;
+
String ctxPath= ctx.getPath();
String path=reqURI.substring( ctxPath.length());
String method=req.getMethod();
