This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push: new 331611b Improve reporting of invalid request lines 331611b is described below commit 331611bd02c90c7c53d0326c61f93880f61eed8b Author: Mark Thomas <ma...@apache.org> AuthorDate: Wed Apr 15 15:35:00 2020 +0100 Improve reporting of invalid request lines --- .../apache/coyote/http11/Http11InputBuffer.java | 31 +++++++++++++++++----- .../apache/coyote/http11/LocalStrings.properties | 6 ++--- webapps/docs/changelog.xml | 4 +++ 3 files changed, 32 insertions(+), 9 deletions(-) diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java b/java/org/apache/coyote/http11/Http11InputBuffer.java index eecac4f..fe9cc96 100644 --- a/java/org/apache/coyote/http11/Http11InputBuffer.java +++ b/java/org/apache/coyote/http11/Http11InputBuffer.java @@ -426,10 +426,10 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler request.method().setBytes(byteBuffer.array(), parsingRequestLineStart, pos - parsingRequestLineStart); } else if (!HttpParser.isToken(chr)) { - byteBuffer.position(byteBuffer.position() - 1); // Avoid unknown protocol triggering an additional error request.protocol().setString(Constants.HTTP_11); - throw new IllegalArgumentException(sm.getString("iib.invalidmethod")); + String invalidMethodValue = parseInvalid(parsingRequestLineStart, byteBuffer); + throw new IllegalArgumentException(sm.getString("iib.invalidmethod", invalidMethodValue)); } } parsingRequestLinePhase = 3; @@ -474,7 +474,8 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler // therefore invalid. Trigger error handling. // Avoid unknown protocol triggering an additional error request.protocol().setString(Constants.HTTP_11); - throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); + String invalidRequestTarget = parseInvalid(parsingRequestLineStart, byteBuffer); + throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget", invalidRequestTarget)); } if (chr == Constants.SP || chr == Constants.HT) { space = true; @@ -500,14 +501,16 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler // Avoid unknown protocol triggering an additional error request.protocol().setString(Constants.HTTP_11); // %nn decoding will be checked at the point of decoding - throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); + String invalidRequestTarget = parseInvalid(parsingRequestLineStart, byteBuffer); + throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget", invalidRequestTarget)); } else if (httpParser.isNotRequestTargetRelaxed(chr)) { // Avoid unknown protocol triggering an additional error request.protocol().setString(Constants.HTTP_11); // This is a general check that aims to catch problems early // Detailed checking of each part of the request target will // happen in Http11Processor#prepareRequest() - throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); + String invalidRequestTarget = parseInvalid(parsingRequestLineStart, byteBuffer); + throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget", invalidRequestTarget)); } } if (parsingRequestLineQPos >= 0) { @@ -567,7 +570,8 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler end = pos - 1; parsingRequestLineEol = true; } else if (!HttpParser.isHttpProtocol(chr)) { - throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol")); + String invalidProtocol = parseInvalid(parsingRequestLineStart, byteBuffer); + throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol", invalidProtocol)); } } @@ -629,6 +633,21 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler } + private String parseInvalid(int startPos, ByteBuffer buffer) { + // Look for the next space + byte b = 0; + while (buffer.hasRemaining() && b != 0x20) { + b = buffer.get(); + } + String result = HeaderUtil.toPrintableString(buffer.array(), buffer.arrayOffset() + startPos, buffer.position() - startPos - 1); + if (b != 0x20) { + // Ran out of buffer rather than found a space + result = result + "..."; + } + return result; + } + + /** * End request (consumes leftover bytes). * diff --git a/java/org/apache/coyote/http11/LocalStrings.properties b/java/org/apache/coyote/http11/LocalStrings.properties index 987907a..d547b1d 100644 --- a/java/org/apache/coyote/http11/LocalStrings.properties +++ b/java/org/apache/coyote/http11/LocalStrings.properties @@ -42,11 +42,11 @@ iib.available.readFail=A non-blocking read failed while attempting to determine iib.eof.error=Unexpected EOF read on the socket iib.failedread.apr=Read failed with APR/native error code [{0}] iib.filter.npe=You may not add a null filter -iib.invalidHttpProtocol=Invalid character found in the HTTP protocol +iib.invalidHttpProtocol=Invalid character found in the HTTP protocol [{0}] iib.invalidPhase=Invalid request line parse phase [{0}] -iib.invalidRequestTarget=Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986 +iib.invalidRequestTarget=Invalid character found in the request target [{0}]. The valid characters are defined in RFC 7230 and RFC 3986 iib.invalidheader=The HTTP header line [{0}] does not conform to RFC 7230 and has been ignored. -iib.invalidmethod=Invalid character found in method name. HTTP method names must be tokens +iib.invalidmethod=Invalid character found in method name [{0}]. HTTP method names must be tokens iib.parseheaders.ise.error=Unexpected state: headers already parsed. Buffer not recycled? iib.readtimeout=Timeout attempting to read data from the socket iib.requestheadertoolarge.error=Request header is too large diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 028d820..24c02e0 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -58,6 +58,10 @@ that use a custom class loader that loads resources from non-standard locations. (markt) </fix> + <fix> + Include the problematic data in the error message when reporting that + the provided request line contains an invalid component. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org