Author: markt Date: Fri Aug 11 07:06:46 2017 New Revision: 1804754 URL: http://svn.apache.org/viewvc?rev=1804754&view=rev Log: Now CVE-2017-7675 is public, make the comment more specific
Modified: tomcat/trunk/java/org/apache/coyote/http2/Stream.java Modified: tomcat/trunk/java/org/apache/coyote/http2/Stream.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Stream.java?rev=1804754&r1=1804753&r2=1804754&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http2/Stream.java (original) +++ tomcat/trunk/java/org/apache/coyote/http2/Stream.java Fri Aug 11 07:06:46 2017 @@ -313,8 +313,10 @@ class Stream extends AbstractStream impl String query = value.substring(queryStart + 1); coyoteRequest.queryString().setString(query); } - // Bug 61120. Set the URI as bytes rather than String so any path - // parameters are correctly processed + // Bug 61120. Set the URI as bytes rather than String so: + // - any path parameters are correctly processed + // - the normalization security checks are performed that prevent + // directory traversal attacks byte[] uriBytes = uri.getBytes(StandardCharsets.ISO_8859_1); coyoteRequest.requestURI().setBytes(uriBytes, 0, uriBytes.length); break; --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org