Author: markt Date: Tue Sep 7 16:10:49 2010 New Revision: 993414 URL: http://svn.apache.org/viewvc?rev=993414&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38113 Add system property to allow spec compliant handling of query string
Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=993414&r1=993413&r2=993414&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Sep 7 16:10:49 2010 @@ -160,12 +160,6 @@ PATCHES PROPOSED TO BACKPORT: -1: rjung: s/vesion/version/g -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38113 - Add system property to allow spec compliant handling of query string - http://people.apache.org/~markt/patches/2010-08-25-bug38113.patch - +1: markt, kkolinko, rjung - -1: - * Provide better web application state information via JMX A limited back-port of http://svn.apache.org/viewvc?rev=992245&view=rev that could be extended to other components that use LifecycleSupport and expose Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=993414&r1=993413&r2=993414&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Tue Sep 7 16:10:49 2010 @@ -83,16 +83,20 @@ import org.apache.catalina.util.StringPa public class Request implements HttpServletRequest { - - // ----------------------------------------------------------- Constructors - + private final static boolean ALLOW_EMPTY_QUERY_STRING; static { // Ensure that classes are loaded for SM new StringCache.ByteEntry(); new StringCache.CharEntry(); + + ALLOW_EMPTY_QUERY_STRING = Boolean.parseBoolean(System.getProperty( + "org.apache.catalina.connector.Request.ALLOW_EMPTY_QUERY_STRING", + Boolean.toString(Globals.STRICT_SERVLET_COMPLIANCE))); } + + // ----------------------------------------------------------- Constructors public Request() { formats[0].setTimeZone(GMT_ZONE); @@ -1975,11 +1979,11 @@ public class Request */ public String getQueryString() { String queryString = coyoteRequest.queryString().toString(); - if (queryString == null || queryString.equals("")) { - return (null); - } else { - return queryString; + if (!ALLOW_EMPTY_QUERY_STRING && "".equals(queryString)) { + return null; } + + return queryString; } Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=993414&r1=993413&r2=993414&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Sep 7 16:10:49 2010 @@ -50,6 +50,11 @@ <subsection name="Catalina"> <changelog> <fix> + <bug>38113</bug>: Provide a system property that enables a strict + interpretation of the specification for <code>getQueryString()</code> + when an empty query string is provided by the user agent. (markt) + </fix> + <fix> Return a copy of the current URLs for the <code>WebappClassLoader</code> to prevent modification. This facilitated, although it wasn't the root cause, CVE-2010-1622. (markt) Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml?rev=993414&r1=993413&r2=993414&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Tue Sep 7 16:10:49 2010 @@ -250,7 +250,16 @@ </property> <property - name="org.apache.catalina.session. StandardSession.ACTIVITY_CHECK"> + name="org.apache.catalina. connector.Request.ALLOW_EMPTY_QUERY_STRING"> + <p>If this is <code>true</code> Tomcat will return an empty string rather + than <code>null</code> for empty query strings - i.e. query strings where + only <code>?</code> is present. If not specified, the value of + <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> will be used as + the default.</p> + </property> + + <property + name="org.apache.catalina.session. StandardSession.ACTIVITY_CHECK"> <p>If this is <code>true</code> or if <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> is <code>true</code> Tomcat will track the number of active requests for each --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org