[tomcat] branch main updated: Ensure request URIs start with /

Thu, 14 Oct 2021 02:59:44 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new d33cce6  Ensure request URIs start with /
d33cce6 is described below

commit d33cce6c196efed8e35518711ba27af0a8c93d09
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Oct 13 18:33:55 2021 +0100

    Ensure request URIs start with /
---
 java/org/apache/catalina/connector/CoyoteAdapter.java | 5 ++++-
 webapps/docs/changelog.xml                            | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java 
b/java/org/apache/catalina/connector/CoyoteAdapter.java
index ccfb4d1..f1db80f 100644
--- a/java/org/apache/catalina/connector/CoyoteAdapter.java
+++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
@@ -911,7 +911,10 @@ public class CoyoteAdapter implements Adapter {
         req.decodedURI().toBytes();
 
         ByteChunk uriBC = req.decodedURI().getByteChunk();
-        int semicolon = uriBC.indexOf(';', 0);
+        // The first character must always be '/' so start search at position 
1.
+        // If the first character is ';' the URI will be rejected at the
+        // normalization stage
+        int semicolon = uriBC.indexOf(';', 1);
         // Performance optimisation. Return as soon as it is known there are no
         // path parameters;
         if (semicolon == -1) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0f82931..abdcfdf 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -130,6 +130,9 @@
         Invalid byte sequences (typically in %nn form) in a request URi that 
are
         not valid for the given URI encoding now trigger a 400 response. 
(markt)
       </fix>
+      <fix>
+        Ensure that a requets URI must start with a <code>/</code>. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to