Author: markt
Date: Wed Sep 2 20:46:17 2015
New Revision: 1700900
URL: http://svn.apache.org/r1700900
Log:
Update proposal
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/RequestUtil.java
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1700900&r1=1700899&r2=1700900&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Sep 2 20:46:17 2015
@@ -62,13 +62,13 @@ PATCHES PROPOSED TO BACKPORT:
* Back-port fixes for Javadoc, formatting, clean-up and edge cases for URL
normalization
-
http://people.apache.org/~markt/patches/2015-09-01-url-normalization-tc6-v1.patch
+
http://people.apache.org/~markt/patches/2015-09-02-url-normalization-tc6-v2.patch
+1: markt
-1:
* Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58313
http://svn.apache.org/r1700872
- NNot required for async but still required because of Comet
+ Not required for async but still required because of Comet
+1: markt
-1:
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/RequestUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/RequestUtil.java?rev=1700900&r1=1700899&r2=1700900&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/RequestUtil.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/RequestUtil.java Wed Sep
2 20:46:17 2015
@@ -5,9 +5,9 @@
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -91,11 +91,15 @@ public final class RequestUtil {
* try to perform security checks for malicious input.
*
* @param path Relative path to be normalized
+ *
+ * @return The normalized path or <code>null</code> if the path cannot be
+ * normalized
*/
public static String normalize(String path) {
return normalize(path, true);
}
+
/**
* Normalize a relative URI path that may have relative values ("/./",
* "/../", and so on ) it it. <strong>WARNING</strong> - This method is
@@ -104,11 +108,15 @@ public final class RequestUtil {
*
* @param path Relative path to be normalized
* @param replaceBackSlash Should '\\' be replaced with '/'
+ *
+ * @return The normalized path or <code>null</code> if the path cannot be
+ * normalized
*/
public static String normalize(String path, boolean replaceBackSlash) {
- if (path == null)
+ if (path == null) {
return null;
+ }
// Create a place for the normalized path
String normalized = path;
@@ -116,9 +124,6 @@ public final class RequestUtil {
if (replaceBackSlash && normalized.indexOf('\\') >= 0)
normalized = normalized.replace('\\', '/');
- if (normalized.equals("/."))
- return "/";
-
// Add a leading "/" if necessary
if (!normalized.startsWith("/"))
normalized = "/" + normalized;
@@ -126,36 +131,44 @@ public final class RequestUtil {
// Resolve occurrences of "//" in the normalized path
while (true) {
int index = normalized.indexOf("//");
- if (index < 0)
+ if (index < 0) {
break;
- normalized = normalized.substring(0, index) +
- normalized.substring(index + 1);
+ }
+ normalized = normalized.substring(0, index) +
normalized.substring(index + 1);
}
// Resolve occurrences of "/./" in the normalized path
while (true) {
int index = normalized.indexOf("/./");
- if (index < 0)
+ if (index < 0) {
break;
- normalized = normalized.substring(0, index) +
- normalized.substring(index + 2);
+ }
+ normalized = normalized.substring(0, index) +
normalized.substring(index + 2);
}
// Resolve occurrences of "/../" in the normalized path
while (true) {
int index = normalized.indexOf("/../");
- if (index < 0)
+ if (index < 0) {
break;
- if (index == 0)
- return (null); // Trying to go outside our context
+ }
+ if (index == 0) {
+ return null; // Trying to go outside our context
+ }
int index2 = normalized.lastIndexOf('/', index - 1);
- normalized = normalized.substring(0, index2) +
- normalized.substring(index + 3);
+ normalized = normalized.substring(0, index2) +
normalized.substring(index + 3);
}
- // Return the normalized path that we have completed
- return (normalized);
+ if (normalized.equals("/.")) {
+ return "/";
+ }
+ if (normalized.equals("/..")) {
+ return null; // Trying to go outside our context
+ }
+
+ // Return the normalized path that we have completed
+ return normalized;
}
@@ -213,8 +226,8 @@ public final class RequestUtil {
public static String URLDecode(String str) {
return URLDecode(str, null);
}
-
-
+
+
/**
* Decode and return the specified URL-encoded String. It is assumed the
* string is not a query string.
@@ -227,7 +240,7 @@ public final class RequestUtil {
public static String URLDecode(String str, String enc) {
return URLDecode(str, enc, false);
}
-
+
/**
* Decode and return the specified URL-encoded String.
*
@@ -294,7 +307,7 @@ public final class RequestUtil {
* by a valid 2-digit hexadecimal number
*/
public static String URLDecode(byte[] bytes, String enc, boolean isQuery) {
-
+
if (bytes == null)
return (null);
@@ -403,8 +416,8 @@ public final class RequestUtil {
ox = 0;
} else {
data[ox++] = c;
- }
- break;
+ }
+ break;
case '+':
data[ox++] = (byte)' ';
break;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
