(tomcat) branch 11.0.x updated: Update docs

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 45e0eb87fa Update docs
45e0eb87fa is described below

commit 45e0eb87fa6760de794c3b38f75215ac3d9eefd2
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jan 22 12:11:33 2025 +0000

    Update docs
---
 java/org/apache/tomcat/util/http/RequestUtil.java | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java 
b/java/org/apache/tomcat/util/http/RequestUtil.java
index 1c1ed0de13..fe4d1e639a 100644
--- a/java/org/apache/tomcat/util/http/RequestUtil.java
+++ b/java/org/apache/tomcat/util/http/RequestUtil.java
@@ -30,13 +30,13 @@ public class RequestUtil {
 
 
     /**
-     * Normalize a relative URI path that may have relative values ("/./", 
"/../", and so on ) it it.
-     * <strong>WARNING</strong> - This method is useful only for normalizing 
application-generated paths. It does not
-     * try to perform security checks for malicious input.
+     * Normalize a relative URI path. This method normalizes "/./", "/../", 
"//" and "\". If the input path is an
+     * attempt to 'escape the root' (e.g. /../input.txt) then {@code null} is 
returned to prevent attempts to 'escape
+     * the root'. <strong>WARNING</strong> - No other URI validation checks 
are performed.
      *
      * @param path Relative path to be normalized
      *
-     * @return The normalized path or <code>null</code> if the path cannot be 
normalized
+     * @return The normalized path or {@code null} if the input path attempts 
to 'escape the root'.
      */
     public static String normalize(String path) {
         return normalize(path, true);
@@ -44,14 +44,14 @@ public class RequestUtil {
 
 
     /**
-     * Normalize a relative URI path that may have relative values ("/./", 
"/../", and so on ) it it.
-     * <strong>WARNING</strong> - This method is useful only for normalizing 
application-generated paths. It does not
-     * try to perform security checks for malicious input.
+     * Normalize a relative URI path. This method normalizes "/./", "/../" and 
"//". This method optionally normalizes
+     * "\". If the input path is an attempt to 'escape the root' (e.g. 
/../input.txt) then {@code null} is returned to
+     * prevent attempts to 'escape the root'. <strong>WARNING</strong> - No 
other URI validation checks are performed.
      *
      * @param path             Relative path to be normalized
-     * @param replaceBackSlash Should '\\' be replaced with '/'
+     * @param replaceBackSlash Should '\\' be normalized to '/'
      *
-     * @return The normalized path or <code>null</code> if the path cannot be 
normalized
+     * @return The normalized path or {@code null} if the input path attempts 
to 'escape the root'.
      */
     public static String normalize(String path, boolean replaceBackSlash) {
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org