cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java

[craigmcc]

craigmcc    01/08/09 12:43:00

  Modified:    catalina/src/share/org/apache/catalina/connector/http
                        HttpProcessor.java
  Log:
  Make request URIs the contain "/..." (or any longer series of periods)
  invalid.  On some (all?) Windows platforms, this causes the OS to walk the
  directory tree just like "../../.." type sequences do.
  
  PR: Bugzilla #3062
  Submitted by: [EMAIL PROTECTED]
  
  Revision  Changes    Path
  1.35      +9 -4      
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java
  
  Index: HttpProcessor.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java,v
  retrieving revision 1.34
  retrieving revision 1.35
  diff -u -r1.34 -r1.35
  --- HttpProcessor.java        2001/07/26 05:31:05     1.34
  +++ HttpProcessor.java        2001/08/09 19:43:00     1.35
  @@ -1,6 +1,6 @@
  -/* * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java,v
 1.34 2001/07/26 05:31:05 remm Exp $
  - * $Revision: 1.34 $
  - * $Date: 2001/07/26 05:31:05 $
  +/* * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java,v
 1.35 2001/08/09 19:43:00 craigmcc Exp $
  + * $Revision: 1.35 $
  + * $Date: 2001/08/09 19:43:00 $
    *
    * ====================================================================
    *
  @@ -106,7 +106,7 @@
    *
    * @author Craig R. McClanahan
    * @author Remy Maucherat
  - * @version $Revision: 1.34 $ $Date: 2001/07/26 05:31:05 $
  + * @version $Revision: 1.35 $ $Date: 2001/08/09 19:43:00 $
    */
   
   final class HttpProcessor
  @@ -879,6 +879,11 @@
               normalized = normalized.substring(0, index2) +
                   normalized.substring(index + 3);
           }
  +
  +        // Declare occurrences of "/..." (three or more dots) to be invalid
  +        // (on some Windows platforms this walks the directory tree!!!)
  +        if (normalized.indexOf("/...") >= 0)
  +            return (null);
   
           // Return the normalized path that we have completed
           return (normalized);