This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 70d4e9b Do not add a trailing / to a request URI during
canonicalization.
70d4e9b is described below
commit 70d4e9ba0a81a1d782fa50695a18d23f2f1f179c
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Oct 13 18:28:45 2021 +0100
Do not add a trailing / to a request URI during canonicalization.
This is part of the clarification in Servet 6.0 of the expected
canonicalization Servlet containers are expected to apply to request
URIs.
---
java/org/apache/catalina/connector/CoyoteAdapter.java | 9 ++++++++-
test/org/apache/catalina/connector/TestCoyoteAdapter.java | 10 +++++++++-
webapps/docs/changelog.xml | 4 ++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java
b/java/org/apache/catalina/connector/CoyoteAdapter.java
index 053874f..046cc4c 100644
--- a/java/org/apache/catalina/connector/CoyoteAdapter.java
+++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
@@ -1149,6 +1149,7 @@ public class CoyoteAdapter implements Adapter {
final byte[] b = uriBC.getBytes();
final int start = uriBC.getStart();
int end = uriBC.getEnd();
+ boolean appendedSlash = false;
// An empty URL is not acceptable
if (start == end) {
@@ -1197,6 +1198,7 @@ public class CoyoteAdapter implements Adapter {
&& (b[end - 3] == (byte) '/'))) {
b[end] = (byte) '/';
end++;
+ appendedSlash = true;
}
}
@@ -1241,8 +1243,13 @@ public class CoyoteAdapter implements Adapter {
index = index2;
}
- return true;
+ // If a slash was appended to help normalize "/." or "/.." then remove
+ // any trailing "/" from the result unless the result is "/".
+ if (appendedSlash && end > 1 && b[end - 1]== '/') {
+ uriBC.setEnd(end -1);
+ }
+ return true;
}
diff --git a/test/org/apache/catalina/connector/TestCoyoteAdapter.java
b/test/org/apache/catalina/connector/TestCoyoteAdapter.java
index 464ca90..72f26b8 100644
--- a/test/org/apache/catalina/connector/TestCoyoteAdapter.java
+++ b/test/org/apache/catalina/connector/TestCoyoteAdapter.java
@@ -328,10 +328,18 @@ public class TestCoyoteAdapter extends TomcatBaseTest {
doTestNormalize("/foo/../bar", "/bar");
}
+ @Test
+ public void testNormalize02() {
+ doTestNormalize("/foo/.", "/foo");
+ }
+
private void doTestNormalize(String input, String expected) {
MessageBytes mb = MessageBytes.newInstance();
byte[] b = input.getBytes(StandardCharsets.UTF_8);
- mb.setBytes(b, 0, b.length);
+ // Need to allow an extra byte in case '/' is appended during
processing
+ byte[] b2 = new byte[b.length + 1];
+ System.arraycopy(b, 0, b2, 0, b.length);
+ mb.setBytes(b2, 0, b.length);
boolean result = CoyoteAdapter.normalize(mb, false);
mb.toString();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index fb6b2d0..2be62e9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -122,6 +122,10 @@
aligns Apache Tomcat with recent changes in the Jakarta Servlet
specification project. (markt)
</add>
+ <fix>
+ Do not add a trailing <code>/</code> to a request URI during
+ canonicalization. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
