Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java
On Thu, Aug 09, 2001 at 07:43:00PM -, [EMAIL PROTECTED] wrote: > craigmcc01/08/09 12:43:00 > ... > Make request URIs the contain "/..." (or any longer series of periods) > invalid. On some (all?) Windows platforms, this causes the OS to walk the > directory tree just like "../../.." type sequences do. ... Is this a "feature" (I mean a documented thing) or a bug? And: if a bug then - just theoretically - is that a goood decision to program for bugs? Even if you get away with this thing at URL parsing you wil get it back at places that you can't control - you can't be safe until the bug is not fixed on the platform itself. (Otherwise on my NT4 (SP6) the etc. works at the DOS prompt mostly like a single dot. So here are some "remain in place" commands: cd . cd cd . But: cd \... type commands sometimes succeed, sometimes raise an "The system cannot find the path specified" message and I'm lazy to try to figure out what is the rule behind this boring error.) incze
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java
> > +// Prevent encoding '%', '/', '.' and '\', which are
> > special reserved
> > +// characters
> > +if ((normalized.indexOf("%25") > 0) ||
> > (normalized.indexOf("%2F") > 0)
> > +|| (normalized.indexOf("%2E") > 0)
> > +|| (normalized.indexOf("%5C") > 0)) {
> > +return null;
> > +}
>
> I think these comparisons should be >= instead of >.
If any of you can still commit, can you please fix it (I can't do anything
CVS related at the moment).
Remy
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java
> remm01/07/16 18:04:29
>
> Modified:catalina/src/share/org/apache/catalina/connector/http
> HttpProcessor.java
> Log:
> - %25, %2F, %2E and %5C are now forbidden in the request URI. I
> hope this
> is not a problem with multi-byte characters.
> - Medium risk fix : always finish the response. That could lead
> to connection
> management problems. That has to be changed since otherwise
> no HTTP error
> report would be generated when something bad happened when parsing
> the request.
>
> +// Prevent encoding '%', '/', '.' and '\', which are
> special reserved
> +// characters
> +if ((normalized.indexOf("%25") > 0) ||
> (normalized.indexOf("%2F") > 0)
> +|| (normalized.indexOf("%2E") > 0)
> +|| (normalized.indexOf("%5C") > 0)) {
> +return null;
> +}
I think these comparisons should be >= instead of >.
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java
> This code will do a case sensitive comparison. So, for example, %2E will be > forbidden, but %2e will be allowed. Escapes are not case sensitive. Yes, I forgot about it. Remy
RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java
> remm01/07/16 18:04:29
>
> Modified:catalina/src/share/org/apache/catalina/connector/http
> HttpProcessor.java
> Log:
> - %25, %2F, %2E and %5C are now forbidden in the request URI. I
> hope this
> is not a problem with multi-byte characters.
> - Medium risk fix : always finish the response. That could lead
> to connection
> management problems. That has to be changed since otherwise
> no HTTP error
> report would be generated when something bad happened when parsing
> the request.
>
> +// Prevent encoding '%', '/', '.' and '\', which are
> special reserved
> +// characters
> +if ((normalized.indexOf("%25") > 0) ||
> (normalized.indexOf("%2F") > 0)
> +|| (normalized.indexOf("%2E") > 0)
> +|| (normalized.indexOf("%5C") > 0)) {
> +return null;
> +}
This code will do a case sensitive comparison. So, for example, %2E will be
forbidden, but %2e will be allowed. Escapes are not case sensitive.
