Author: markt Date: Wed Jul 30 13:38:44 2008 New Revision: 681197 URL: http://svn.apache.org/viewvc?rev=681197&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43079 and https://issues.apache.org/bugzilla/show_bug.cgi?id=43080 Move odd url-pattern warning to StandardContext so a) we catch all patterns and b) it isn't logged to the wrong webapp Based on a patch by John Kew
Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java tomcat/container/tc5.5.x/webapps/docs/changelog.xml tomcat/current/tc5.5.x/STATUS.txt Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java?rev=681197&r1=681196&r2=681197&view=diff ============================================================================== --- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/core/StandardContext.java Wed Jul 30 13:38:44 2008 @@ -4837,20 +4837,38 @@ getLogger().warn(sm.getString("standardContext.crlfinurl",urlPattern)); } if (urlPattern.startsWith("*.")) { - if (urlPattern.indexOf('/') < 0) + if (urlPattern.indexOf('/') < 0) { + checkUnusualURLPattern(urlPattern); return (true); - else + } else return (false); } if ( (urlPattern.startsWith("/")) && - (urlPattern.indexOf("*.") < 0)) + (urlPattern.indexOf("*.") < 0)) { + checkUnusualURLPattern(urlPattern); return (true); - else + } else return (false); } + /** + * Check for unusual but valid <code><url-pattern></code>s. + * See Bugzilla 34805, 43079 & 43080 + */ + private void checkUnusualURLPattern(String urlPattern) { + if (log.isInfoEnabled()) { + if(urlPattern.endsWith("*") && (urlPattern.length() < 2 || + urlPattern.charAt(urlPattern.length()-2) != '/')) { + log.info("Suspicious url pattern: \"" + urlPattern + "\"" + + " in context [" + getName() + "] - see" + + " section SRV.11.2 of the Servlet specification" ); + } + } + } + + // ------------------------------------------------------------- Operations Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java?rev=681197&r1=681196&r2=681197&view=diff ============================================================================== --- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java (original) +++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java Wed Jul 30 13:38:44 2008 @@ -21,9 +21,6 @@ import org.apache.catalina.util.RequestUtil; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - import java.io.Serializable; @@ -44,9 +41,6 @@ public class SecurityCollection implements Serializable { - private static Log log = LogFactory.getLog(SecurityCollection.class); - - // ----------------------------------------------------------- Constructors @@ -188,17 +182,6 @@ if (pattern == null) return; - // Bugzilla 34805: add friendly warning. - if(pattern.endsWith("*")) { - if (pattern.charAt(pattern.length()-1) != '/') { - if (log.isDebugEnabled()) { - log.warn("Suspicious url pattern: \"" + pattern + "\"" + - " - see http://java.sun.com/aboutJava/communityprocess/first/jsr053/servlet23_PFD.pdf" + - " section 11.2" ); - } - } - } - pattern = RequestUtil.URLDecode(pattern); String results[] = new String[patterns.length + 1]; for (int i = 0; i < patterns.length; i++) { Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=681197&r1=681196&r2=681197&view=diff ============================================================================== --- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original) +++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Wed Jul 30 13:38:44 2008 @@ -54,6 +54,14 @@ context.xml files. (markt) </fix> <fix> + <bug>43079</bug>: Correct pattern verification for suspicious URLs. + Patch provided by John Kew. (markt) + </fix> + <fix> + <bug>43080</bug>: Log suspicious URL pattern warnings to the correct + web application. (markt) + </fix> + <fix> <bug>43117</bug>: Setting an empty workDIR could delete all of CATALINA_HOME. Patch provided by Takayuki Kaneko. (markt) </fix> Modified: tomcat/current/tc5.5.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=681197&r1=681196&r2=681197&view=diff ============================================================================== --- tomcat/current/tc5.5.x/STATUS.txt (original) +++ tomcat/current/tc5.5.x/STATUS.txt Wed Jul 30 13:38:44 2008 @@ -86,15 +86,6 @@ +1: markt, yoavs -1: -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43079 - and https://issues.apache.org/bugzilla/show_bug.cgi?id=43080 - http://svn.apache.org/viewvc?rev=653195&view=rev - Move odd url-pattern warning to StandardContext so a) we catch all patterns - and b) it isn't logged to the wrong webapp - Based on a patch by John Kew - +1: markt, fhanik, yoavs - -1: - * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44021 and https://issues.apache.org/bugzilla/show_bug.cgi?id=43013 Add support for # to signify multi-level contexts for directories and --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]