Re: [tomcat] branch main updated: Ensure request URIs start with /

Thu, 14 Oct 2021 04:07:34 -0700 

чт, 14 окт. 2021 г. в 13:37, Mark Thomas <ma...@apache.org>:
>
> On 14/10/2021 11:32, Konstantin Kolinko wrote:
> > чт, 14 окт. 2021 г. в 13:01, Mark Thomas <ma...@apache.org>:
> >>
> >> On 14/10/2021 10:59, ma...@apache.org wrote:
> >>> This is an automated email from the ASF dual-hosted git repository.
> >>>
> >>> markt pushed a commit to branch main
> >>> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >>>
> >>>
> >>> The following commit(s) were added to refs/heads/main by this push:
> >>>        new d33cce6  Ensure request URIs start with /
> >>> d33cce6 is described below
> >>>
> >>> commit d33cce6c196efed8e35518711ba27af0a8c93d09
> >>> Author: Mark Thomas <ma...@apache.org>
> >>> AuthorDate: Wed Oct 13 18:33:55 2021 +0100
> >>>
> >>>       Ensure request URIs start with /
> >>
> >> This is the third and final additional default check for consideration
> >> to back-port.
> >>
> >> Servlet 6 also introduces the concept of "suspicious URIs" - sequences
> >> like "/..;a=b/" and I'll be addressing those as an optional check in a
> >> separate commit.
> >
> > How about an "OPTIONS * HTTP/1.1" request?
> >
> > https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
> > https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.7
> >
> > Does Tomcat respond to it by itself, without passing the request to 
> > servlets?
>
> That gets handled before the "starts with '/' check". Tomcat provides
> the response.
>
> https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/connector/CoyoteAdapter.java#L613

OK.
Though note that line 627 is not followed by a "return" and will fall
through to further processing.
As such, the method parsePathParameters() changed by this commit may
be called with an URL of "*".

I see comments on lines 695-696: "Note we still want the mapper to
find the correct host."


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to