This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new d33cce6 Ensure request URIs start with /
d33cce6 is described below
commit d33cce6c196efed8e35518711ba27af0a8c93d09
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Oct 13 18:33:55 2021 +0100
Ensure request URIs start with /
---
java/org/apache/catalina/connector/CoyoteAdapter.java | 5 ++++-
webapps/docs/changelog.xml | 3 +++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java
b/java/org/apache/catalina/connector/CoyoteAdapter.java
index ccfb4d1..f1db80f 100644
--- a/java/org/apache/catalina/connector/CoyoteAdapter.java
+++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
@@ -911,7 +911,10 @@ public class CoyoteAdapter implements Adapter {
req.decodedURI().toBytes();
ByteChunk uriBC = req.decodedURI().getByteChunk();
- int semicolon = uriBC.indexOf(';', 0);
+ // The first character must always be '/' so start search at position
1.
+ // If the first character is ';' the URI will be rejected at the
+ // normalization stage
+ int semicolon = uriBC.indexOf(';', 1);
// Performance optimisation. Return as soon as it is known there are no
// path parameters;
if (semicolon == -1) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0f82931..abdcfdf 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -130,6 +130,9 @@
Invalid byte sequences (typically in %nn form) in a request URi that
are
not valid for the given URI encoding now trigger a 400 response.
(markt)
</fix>
+ <fix>
+ Ensure that a requets URI must start with a <code>/</code>. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
