costin 01/07/16 18:59:44
Modified: src/share/org/apache/tomcat/modules/mappers
DecodeInterceptor.java
Log:
Ops... Normalization _after_ decoding, of course - thanks Larry, I can't
believe I didn't realized that...
One problem that remain is with the "unparsed" URI. Internally we deal
only with decoded and normalized URIs, that includes the JSP interceptor and
all tomcat modules.
Servlets, on the other side, get the original request ( as required by spec).
We could normalize it ( not allowed in the spec, but better safe then
compliant :-). That wouldn't solve anything - if we normalize undecoded
url we can still have the "." and "/", and if we decode - then we completely
brake the spec.
On the other side, if the servlet needs to do anything with the URI, it has
to decode it and implement all the security checkings itself. Not easy, but
it's not our problem.
Revision Changes Path
1.5 +10 -10
jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java
Index: DecodeInterceptor.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- DecodeInterceptor.java 2001/07/16 00:12:03 1.4
+++ DecodeInterceptor.java 2001/07/17 01:59:43 1.5
@@ -249,16 +249,6 @@
if( pathMB.isNull())
throw new RuntimeException("ASSERT: null path in request URI");
- if( safe &&
- ( pathMB.indexOf("//") >= 0 ||
- pathMB.indexOf("/." ) >=0
- )) {
- //debug=1;
- normalizePath( pathMB );
- if( debug > 0 )
- log( "Normalized url " + pathMB );
- }
-
//if( path.indexOf("?") >=0 )
// throw new RuntimeException("ASSERT: ? in requestURI");
@@ -341,6 +331,16 @@
log( "Error decoding request ", ex);
return 400;
}
+ }
+
+ if( safe &&
+ ( pathMB.indexOf("//") >= 0 ||
+ pathMB.indexOf("/." ) >=0
+ )) {
+ //debug=1;
+ normalizePath( pathMB );
+ if( debug > 0 )
+ log( "Normalized url " + pathMB );
}
return 0;
