cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers DecodeInterceptor.java

[costin]

costin      01/10/04 13:25:05

  Modified:    src/share/org/apache/tomcat/modules/mappers
                        DecodeInterceptor.java
  Log:
  Do not decode if it was alredy decoded - i.e. if tomcat+web server.
  For Http we need to decode, and also for eventual protocols that send the request
  encoded.
  
  Also, added an option ( defaulted to what we agreed ) to allow saving the 'original'
  uri. Turning it on will bring inconsistencyes between tomcat standalone and
  tomcat+web, and may be open to various security issues ( if the uri is used in any
  check or processing, many encoding tricks could be played - we've been there ).
  But it is the strict implementation of the 2.3 spec ( in the idea that 2.3 is
  backward compat. with 2.2 ).
  
  Revision  Changes    Path
  1.10      +14 -4     
jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java
  
  Index: DecodeInterceptor.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- DecodeInterceptor.java    2001/09/29 04:36:35     1.9
  +++ DecodeInterceptor.java    2001/10/04 20:25:05     1.10
  @@ -89,7 +89,7 @@
   
       private boolean normalize=true;
       private boolean safe=true;
  -    
  +    private boolean saveOriginal=false;
       public DecodeInterceptor() {
       }
   
  @@ -118,6 +118,13 @@
        normalize=b;
       }
   
  +    /** Save the original uri before decoding. Default is false,
  +     *  for consistency among servers.
  +     */
  +    public void setSaveOriginal( boolean b ) {
  +     saveOriginal=b;
  +    }
  +
       /** Decode interceptor can reject unsafe urls. These are
           URL's containing the following escapes:
           %25 = '%'
  @@ -398,7 +405,7 @@
       }
   
       private boolean isSafeURI(MessageBytes pathMB) {
  -        int start = pathMB.indexOf("%");
  +        int start = pathMB.indexOf('%');
           if( start >= 0 ) {
               int end = pathMB.indexOf(";jsessionid=");
               if( end < 0 || start < end ) {
  @@ -515,11 +522,14 @@
        // Decode request, save the original for the facade
   
        // Already decoded
  -     if( req.getNote( decodedNote ) != null )
  +     if( req.getNote( decodedNote ) != null ) {
  +         if( debug> 5 ) log("Already decoded " + req.getNote( decodedNote ));
            return 0;
  +     }
        if (pathMB.indexOf('%') >= 0 || pathMB.indexOf( '+' ) >= 0) {
            try {
  -             req.unparsedURI().duplicate( pathMB );
  +             if( saveOriginal )
  +                 req.unparsedURI().duplicate( pathMB );
                if(debug>1 )
                    log( "Before " + pathMB.toString());
                req.getURLDecoder().convert( pathMB );