Author: markt
Date: Thu Jul 3 13:52:42 2008
New Revision: 673796
URL: http://svn.apache.org/viewvc?rev=673796&view=rev
Log:
Make filtering of /r and /n in headers consistent for all connectors.
Make handling of 404s consistent across components.
Provide option to include custom status message in headers. SRV.5.3 suggests
custom messages are intended for the body of the response, not the status line.
Modified:
tomcat/trunk/java/org/apache/catalina/core/StandardContextValve.java
tomcat/trunk/java/org/apache/coyote/Constants.java
tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
tomcat/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
tomcat/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java
tomcat/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java
tomcat/trunk/java/org/apache/jk/common/JkInputStream.java
tomcat/trunk/webapps/docs/config/systemprops.xml
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContextValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContextValve.java?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardContextValve.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContextValve.java Thu
Jul 3 13:52:42 2008
@@ -120,8 +120,7 @@
|| (requestPathMB.equalsIgnoreCase("/META-INF"))
|| (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
|| (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
}
@@ -148,15 +147,13 @@
// Select the Wrapper to be used for this Request
Wrapper wrapper = request.getWrapper();
if (wrapper == null) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
} else if (wrapper.isUnavailable()) {
// May be as a result of a reload, try and find the new wrapper
wrapper = (Wrapper) container.findChild(wrapper.getName());
if (wrapper == null) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
}
}
@@ -305,13 +302,12 @@
* application, but currently that code runs at the wrapper level rather
* than the context level.
*
- * @param requestURI The request URI for the requested resource
* @param response The response we are creating
*/
- private void notFound(String requestURI, HttpServletResponse response) {
+ private void notFound(HttpServletResponse response) {
try {
- response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI);
+ response.sendError(HttpServletResponse.SC_NOT_FOUND);
} catch (IllegalStateException e) {
;
} catch (IOException e) {
Modified: tomcat/trunk/java/org/apache/coyote/Constants.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/Constants.java?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/Constants.java (original)
+++ tomcat/trunk/java/org/apache/coyote/Constants.java Thu Jul 3 13:52:42 2008
@@ -60,5 +60,12 @@
(System.getSecurityManager() != null);
+ /**
+ * If true, custom HTTP status messages will be used in headers.
+ */
+ public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+ Boolean.valueOf(System.getProperty(
+ "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER",
+ "false")).booleanValue();
}
Modified: tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Thu Jul 3
13:52:42 2008
@@ -917,7 +917,10 @@
// HTTP header contents
responseHeaderMessage.appendInt(response.getStatus());
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null){
message = HttpMessages.getMessage(response.getStatus());
} else {
Modified: tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Thu Jul 3
13:52:42 2008
@@ -923,7 +923,10 @@
// HTTP header contents
responseHeaderMessage.appendInt(response.getStatus());
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null){
message = HttpMessages.getMessage(response.getStatus());
} else {
Modified:
tomcat/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java Thu
Jul 3 13:52:42 2008
@@ -421,11 +421,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
write(HttpMessages.getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified:
tomcat/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/InternalNioOutputBuffer.java Thu
Jul 3 13:52:42 2008
@@ -478,11 +478,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
write(HttpMessages.getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: tomcat/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java
(original)
+++ tomcat/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java Thu
Jul 3 13:52:42 2008
@@ -438,11 +438,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
- write(getMessage(status));
+ write(HttpMessages.getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: tomcat/trunk/java/org/apache/jk/common/JkInputStream.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jk/common/JkInputStream.java?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jk/common/JkInputStream.java (original)
+++ tomcat/trunk/java/org/apache/jk/common/JkInputStream.java Thu Jul 3
13:52:42 2008
@@ -272,7 +272,10 @@
outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS);
outputMsg.appendInt( res.getStatus() );
- String message=res.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = res.getMessage();
+ }
if( message==null ){
message= HttpMessages.getMessage(res.getStatus());
} else {
Modified: tomcat/trunk/webapps/docs/config/systemprops.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/systemprops.xml?rev=673796&r1=673795&r2=673796&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/trunk/webapps/docs/config/systemprops.xml Thu Jul 3 13:52:42 2008
@@ -189,6 +189,15 @@
be used.</p>
</property>
+ <property
+ name="org.apache.coyote. USE_CUSTOM_STATUS_MSG_IN_HEADER"><p>If this is
+ <code>true</code> custom HTTP status messages will be used within HTTP
+ headers. Users must ensure that any such message is ISO-8859-1 encoded,
+ particularly if user provided input is included in the message, to
prevent
+ a possible XSS vulnerability. If not specified the default value of
+ <code>false</code> will be used.</p>
+ </property>
+
</properties>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
