svn commit: r1733080 - in /tomcat/trunk: java/org/apache/tomcat/util/buf/UriUtil.java webapps/docs/changelog.xml

Tue, 01 Mar 2016 06:38:59 -0800 

Author: markt
Date: Tue Mar  1 14:37:46 2016
New Revision: 1733080

URL: http://svn.apache.org/viewvc?rev=1733080&view=rev
Log:
Expand the fix for BZ 59001 to cover the special sequences used in Tomcat's 
custom jar:war: URL

Modified:
    tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java?rev=1733080&r1=1733079&r2=1733080&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/buf/UriUtil.java Tue Mar  1 
14:37:46 2016
@@ -106,6 +106,9 @@ public final class UriUtil {
     private static String makeSafeForJarUrl(String input) {
         // Since "!/" has a special meaning in a JAR URL, make sure that the
         // sequence is properly escaped if present.
-        return input.replaceAll("!/", "%21/");
+        String tmp = input.replaceAll("!/", "%21/");
+        // Tomcat's custom jar:war: URL handling treats */ and ^/ as special
+        tmp = tmp.replaceAll("^/", "%5e/");
+        return tmp.replaceAll("\\*/", "%2a/");
     }
 }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1733080&r1=1733079&r2=1733080&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Mar  1 14:37:46 2016
@@ -107,6 +107,10 @@
         <bug>59001</bug>: Correctly handle the case when Tomcat is installed on
         a path where one of the segments ends in an exclamation mark. (markt)
       </fix>
+      <fix>
+        Expand the fix for <bug>59001</bug> to cover the special sequences used
+        in Tomcat&apos;s custom jar:war: URLs. (markt)
+      </fix>
       <update>
         Switch to the web application class loader to the
         <code>ParallelWebappClassLoader</code> by default. (markt)



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to