svn commit: r678137 - in /tomcat/tc6.0.x/trunk: java/org/apache/catalina/connector/CoyoteAdapter.java webapps/docs/changelog.xml
Author: remm
Date: Sat Jul 19 04:35:43 2008
New Revision: 678137
URL: http://svn.apache.org/viewvc?rev=678137&view=rev
Log:
- Additional normalization check.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=678137&r1=678136&r2=678137&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java
Sat Jul 19 04:35:43 2008
@@ -404,6 +404,12 @@
}
// Character decoding
convertURI(decodedURI, request);
+// Check that the URI is still normalized
+if (!checkNormalize(req.decodedURI())) {
+res.setStatus(400);
+res.setMessage("Invalid URI character encoding");
+return false;
+}
} else {
// The URL is chars or String, and has been sent using an in-memory
// protocol handler, we have to assume the URL has been properly
@@ -780,6 +786,67 @@
}
+/**
+ * Check that the URI is normalized following character decoding.
+ *
+ * This method checks for "\", 0, "//", "/./" and "/../". This method will
+ * return false if sequences that are supposed to be normalized are still
+ * present in the URI.
+ *
+ * @param uriMB URI to be checked (should be chars)
+ */
+public static boolean checkNormalize(MessageBytes uriMB) {
+
+CharChunk uriCC = uriMB.getCharChunk();
+char[] c = uriCC.getChars();
+int start = uriCC.getStart();
+int end = uriCC.getEnd();
+
+int pos = 0;
+
+// Check for '\' and 0
+for (pos = start; pos < end; pos++) {
+if (c[pos] == '\\') {
+return false;
+}
+if (c[pos] == 0) {
+return false;
+}
+}
+
+// Check for "//"
+for (pos = start; pos < (end - 1); pos++) {
+if (c[pos] == '/') {
+if (c[pos + 1] == '/') {
+return false;
+}
+}
+}
+
+// Check for ending with "/." or "/.."
+if (((end - start) >= 2) && (c[end - 1] == '.')) {
+if ((c[end - 2] == '/')
+|| ((c[end - 2] == '.')
+&& (c[end - 3] == '/'))) {
+return false;
+}
+}
+
+// Check for "/./"
+if (uriCC.indexOf("/./", 0, 3, 0) >= 0) {
+return false;
+}
+
+// Check for "/../"
+if (uriCC.indexOf("/../", 0, 4, 0) >= 0) {
+return false;
+}
+
+return true;
+
+}
+
+
// -- Protected Methods
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=678137&r1=678136&r2=678137&view=diff
==
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat Jul 19 04:35:43 2008
@@ -45,6 +45,9 @@
45285: Look for annotations in class hierarchy. (markt)
+
+Add additional checks for URI normalization. (remm)
+
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
how to do an anonymous checkout of Tomcat source
Hi I am trying to checkout out the source for Tomcat: This is what I am trying to do on my Eclipse Subversion Client: Host: http://svn.apache.org/ Repository path:repos/asf/tomcat What can I use for "user" and "password" I read the official documentation on the Tomcat page, but I am missing something. Thanks for helping me checkout the source. ilango -- View this message in context: http://www.nabble.com/how-to-do-an-anonymous-checkout-of-Tomcat-source-tp18544744p18544744.html Sent from the Tomcat - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
path to becoming a committer
Hi How will I qualify to become a committer on an Apache project like Tomcat. What can be a path to becoming one. What do I need to do? thanks ilango -- View this message in context: http://www.nabble.com/path-to-becoming-a-committer-tp18545119p18545119.html Sent from the Tomcat - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: path to becoming a committer
I'm not sure exactly what is invovled in becoming a committer for Tomcat, but it generally involves submitting patches, and when the amount you submitted becomes extensive/large, then you are offered an SVN account. Q On Sat, Jul 19, 2008 at 4:28 PM, ilango_g <[EMAIL PROTECTED]> wrote: > > Hi > How will I qualify to become a committer on an Apache project like Tomcat. > What can be a path to becoming one. What do I need to do? > > thanks > ilango > -- > View this message in context: > http://www.nabble.com/path-to-becoming-a-committer-tp18545119p18545119.html > Sent from the Tomcat - Dev mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Quintin Beukes
Re: how to do an anonymous checkout of Tomcat source
ilango_g schrieb: Hi I am trying to checkout out the source for Tomcat: This is what I am trying to do on my Eclipse Subversion Client: Host: http://svn.apache.org/ Repository path:repos/asf/tomcat What can I use for "user" and "password" I read the official documentation on the Tomcat page, but I am missing something. Thanks for helping me checkout the source. You don't need a user or password for checking out, anonymous svn suffices. Only if you use https instead of http, you will need credentials. https allows write access, http only read access. Regards, Rainer - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: path to becoming a committer
If this involves submitting patches, where do I start? Where can I find a list of bugs for which patches are sought? Thanks. Ilango Quintin Beukes-2 wrote: > > I'm not sure exactly what is invovled in becoming a committer for Tomcat, > but it generally involves submitting patches, and when the amount you > submitted becomes extensive/large, then you are offered an SVN account. > > Q > > On Sat, Jul 19, 2008 at 4:28 PM, ilango_g <[EMAIL PROTECTED]> wrote: > >> >> Hi >> How will I qualify to become a committer on an Apache project like >> Tomcat. >> What can be a path to becoming one. What do I need to do? >> >> thanks >> ilango >> -- >> View this message in context: >> http://www.nabble.com/path-to-becoming-a-committer-tp18545119p18545119.html >> Sent from the Tomcat - Dev mailing list archive at Nabble.com. >> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > -- > Quintin Beukes > > -- View this message in context: http://www.nabble.com/path-to-becoming-a-committer-tp18545119p18545631.html Sent from the Tomcat - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: path to becoming a committer
I found the location of the bug database at ASF Bugzilla. This is a place to start? Quintin Beukes-2 wrote: > > I'm not sure exactly what is invovled in becoming a committer for Tomcat, > but it generally involves submitting patches, and when the amount you > submitted becomes extensive/large, then you are offered an SVN account. > > Q > > On Sat, Jul 19, 2008 at 4:28 PM, ilango_g <[EMAIL PROTECTED]> wrote: > >> >> Hi >> How will I qualify to become a committer on an Apache project like >> Tomcat. >> What can be a path to becoming one. What do I need to do? >> >> thanks >> ilango >> -- >> View this message in context: >> http://www.nabble.com/path-to-becoming-a-committer-tp18545119p18545119.html >> Sent from the Tomcat - Dev mailing list archive at Nabble.com. >> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > -- > Quintin Beukes > > -- View this message in context: http://www.nabble.com/path-to-becoming-a-committer-tp18545119p18546334.html Sent from the Tomcat - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: path to becoming a committer
On Sat, Jul 19, 2008 at 12:32 PM, ilango_g <[EMAIL PROTECTED]> wrote: > > I found the location of the bug database at ASF Bugzilla. This is a place to > start? Yes, that's a good place to start. You will also want to read several pages on http://www.apache.org/dev/, including "How the ASF Works," "Introduction for Contributors," and more. Yoav - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
