craigmcc 01/03/30 11:33:39
Modified: catalina/src/share/org/apache/catalina/core
LocalStrings.properties StandardContextMapper.java
StandardContextValve.java StandardWrapperValve.java
catalina/src/share/org/apache/catalina/util RequestUtil.java
Log:
Fix for the "Tomcat may reveal script source code by URL trickery"
security vulnerability reported by Sverre H. Huseby (2001-03-29). The
problem was that we were not URL decoding the servletPath and pathInfo
parts of a request URI at all (which is a spec violation as well).
In addition, fixed one more case where the cross-site scripting
vulnerability problem reported earlier could have bitten us.
Revision Changes Path
1.26 +182 -180
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/LocalStrings.properties
Index: LocalStrings.properties
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/LocalStrings.properties,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- LocalStrings.properties 2001/03/26 03:22:35 1.25
+++ LocalStrings.properties 2001/03/30 19:33:37 1.26
@@ -1,180 +1,182 @@
-applicationContext.attributeEvent=Exception thrown by attributes event listener
-applicationContext.requestDispatcher.iae=Path {0} does not start with a "/"
character
-applicationDispatcher.allocateException=Allocate exception for servlet {0}
-applicationDispatcher.deallocateException=Deallocate exception for servlet {0}
-applicationDispatcher.forward.ise=Cannot forward after response has been committed
-applicationDispatcher.forward.throw=Forwarded resource threw an exception
-applicationDispatcher.include.throw=Included resource threw an exception
-applicationDispatcher.isUnavailable=Servlet {0} is currently unavailable
-applicationDispatcher.serviceException=Servlet.service() for servlet {0} threw
exception
-applicationRequest.badParent=Cannot locate parent Request implementation
-applicationRequest.badRequest=Request is not a javax.servlet.ServletRequestWrapper
-applicationResponse.badParent=Cannot locate parent Response implementation
-applicationResponse.badResponse=Response is not a
javax.servlet.ServletResponseWrapper
-containerBase.addDefaultMapper=Exception configuring default mapper of class {0}
-containerBase.alreadyStarted=Container has already been started
-containerBase.notConfigured=No basic Valve has been configured
-containerBase.notStarted=Container has not been started
-filterChain.filter=Filter execution threw an exception
-filterChain.servlet=Servlet execution threw an exception
-httpContextMapper.container=This container is not a StandardContext
-httpEngineMapper.container=This container is not a StandardEngine
-httpHostMapper.container=This container is not a StandardHost
-interceptorValve.alreadyStarted=InterceptorValve has already been started
-interceptorValve.notStarted=InterceptorValve has not yet been started
-standardContext.alreadyStarted=Context has already been started
-standardContext.applicationListener=Error configuring application listener of class
{0}
-standardContext.applicationSkipped=Skipped installing application listeners due to
previous error(s)
-standardContext.errorPage.error=Error page location {0} must start with a '/'
-standardContext.errorPage.required=ErrorPage cannot be null
-standardContext.errorPage.warning=WARNING: Error page location {0} must start with
a '/' in Servlet 2.3
-standardContext.filterMap.either=Filter mapping must specify either a <url-pattern>
or a <servlet-name>
-standardContext.filterMap.name=Filter mapping specifies an unknown filter name {0}
-standardContext.filterMap.pattern=Invalid <url-pattern> {0} in filter mapping
-standardContext.filterStart=Exception starting filter {0}
-standardContext.isUnavailable=This application is not currently available
-standardContext.listenerStart=Exception sending context initialized event to
listener instance of class {0}
-standardContext.listenerStop=Exception sending context destroyed event to listener
instance of class {0}
-standardContext.loginConfig.errorPage=Form error page {0} must start with a '/'
-standardContext.loginConfig.errorWarning=WARNING: Form error page {0} must start
with a '/' in Servlet 2.3
-standardContext.loginConfig.loginPage=Form login page {0} must start with a '/'
-standardContext.loginConfig.loginWarning=WARNING: Form login page {0} must start
with a '/' in Servlet 2.3
-standardContext.loginConfig.required=LoginConfig cannot be null
-standardContext.managerLoad=Exception loading sessions from persistent storage
-standardContext.managerUnload=Exception unloading sessions to persistent storage
-standardContext.mappingError=MAPPING configuration error for relative URI {0}
-standardContext.notFound=The requested resource ({0}) is not available.
-standardContext.notReloadable=Reloading is disabled on this Context
-standardContext.notStarted=Context has not yet been started
-standardContext.notWrapper=Child of a Context must be a Wrapper
-standardContext.parameter.duplicate=Duplicate context initialization parameter {0}
-standardContext.parameter.required=Both parameter name and parameter value are
required
-standardContext.reloadingCompleted=Reloading this Context is completed
-standardContext.reloadingStarted=Reloading this Context has started
-standardContext.securityConstraint.pattern=Invalid <url-pattern> {0} in security
constraint
-standardContext.servletMap.name=Servlet mapping specifies an unknown servlet name
{0}
-standardContext.servletMap.pattern=Invalid <url-pattern> {0} in servlet mapping
-standardContext.startingLoader=Exception starting Loader
-standardContext.startingManager=Exception starting Manager
-standardContext.startingWrapper=Exception starting Wrapper for servlet {0}
-standardContext.stoppingLoader=Exception stopping Loader
-standardContext.stoppingManager=Exception stopping Manager
-standardContext.stoppingWrapper=Exception stopping Wrapper for servlet {0}
-standardContext.urlPattern.patternWarning=WARNING: URL pattern {0} must start with
a '/' in Servlet 2.3
-standardContext.wrapper.error=JSP file {0} must start with a '/'
-standardContext.wrapper.warning=WARNING: JSP file {0} must start with a '/' in
Servlet 2.3
-standardContext.invalidEnvEntryValue={0} environment entry has an invalid value for
specified type
-standardContext.invalidEnvEntryType={0} environment entry has an invalid type
-standardContext.bindFailed=Bind naming operation failed : {0}
-standardContext.namingInitFailed=Error initializing naming context for context {0}
-standardEngine.alreadyStarted=Engine has already been started
-standardEngine.mappingError=MAPPING configuration error for server name {0}
-standardEngine.notHost=Child of an Engine must be a Host
-standardEngine.notParent=Engine cannot have a parent Container
-standardEngine.notStarted=Engine has not yet been started
-standardEngine.unfoundHost=Virtual host {0} not found
-standardEngine.unknownHost=No server host specified in this request
-standardHost.accessBase=Cannot access document base directory {0}
-standardHost.alreadyStarted=Host has already been started
-standardHost.appBase=Application base directory {0} does not exist
-standardHost.installing=Installing web application at context path {0} from URL {1}
-standardHost.installError=Error deploying application at context path {0}
-standardHost.docBase=Document base directory {0} already exists
-standardHost.mappingError=MAPPING configuration error for request URI {0}
-standardHost.noContext=No Context configured to process this request
-standardHost.noHost=No Host configured to process this request
-standardHost.notContext=Child of a Host must be a Context
-standardHost.notStarted=Host has not yet been started
-standardHost.nullName=Host name is required
-standardHost.pathFormat=Invalid context path: {0}
-standardHost.pathMissing=Context path {0} is not currently in use
-standardHost.pathRequired=Context path is required
-standardHost.pathUsed=Context path {0} is already in use
-standardHost.removing=Removing web application at context path {0}
-standardHost.removeError=Error removing application at context path {0}
-standardHost.start=Starting web application at context path {0}
-standardHost.stop=Stopping web application at context path {0}
-standardHost.unfoundContext=Cannot find context for request URI {0}
-standardHost.warRequired=URL to web application archive is required
-standardHost.warURL=Invalid URL for web application archive: {0}
-standardPipeline.alreadyStarted=Pipeline has already been started
-standardPipeline.notStarted=Pipeline has not been started
-standardPipeline.noValve=No more Valves in the Pipeline processing this request
-standardServer.addContainer.ise=No connectors available to associate this container
with
-standardServer.start.connectors=At least one connector is not associated with any
container
-standardServer.start.started=This server has already been started
-standardServer.stop.notStarted=This server has not yet been started
-standardService.start.name=Starting service {0}
-standardService.start.started=This service has already been started
-standardService.stop.name=Stopping service {0}
-standardService.stop.notStarted=This service has not yet been started
-standardWrapper.allocate=Error allocating a servlet instance
-standardWrapper.allocateException=Allocate exception for servlet {0}
-standardWrapper.containerServlet=Loading container servlet {0}
-standardWrapper.createFilters=Create filters exception for servlet {0}
-standardWrapper.deallocateException=Deallocate exception for servlet {0}
-standardWrapper.destroyException=Servlet.destroy() for servlet {0} threw exception
-standardWrapper.exception0=Tomcat Exception Report
-standardWrapper.exception1=A Servlet Exception Has Occurred
-standardWrapper.exception2=Exception Report:
-standardWrapper.exception3=Root Cause:
-standardWrapper.initException=Servlet.init() for servlet {0} threw exception
-standardWrapper.instantiate=Error instantiating servlet class {0}
-standardWrapper.isUnavailable=Servlet {0} is currently unavailable
-standardWrapper.jasperLoader=Using Jasper classloader for servlet {0}
-standardWrapper.jspFile.format=JSP file {0} does not start with a '/' character
-standardWrapper.loadException=Servlet {0} threw load() exception
-standardWrapper.missingClass=Wrapper cannot find servlet class {0} or a class it
depends on
-standardWrapper.missingLoader=Wrapper cannot find Loader for servlet {0}
-standardWrapper.notChild=Wrapper container may not have child containers
-standardWrapper.notClass=No servlet class has been specified for servlet {0}
-standardWrapper.notContext=Parent container of a Wrapper must be a Context
-standardWrapper.notServlet=Class {0} is not a Servlet
-standardWrapper.releaseFilters=Release filters exception for servlet {0}
-standardWrapper.serviceException=Servlet.service() for servlet {0} threw exception
-standardWrapper.statusHeader=HTTP Status {0} - {1}
-standardWrapper.statusTitle=Tomcat Error Report
-standardWrapper.unavailable=Marking servlet {0} as unavailable
-standardWrapper.unloadException=Servlet {0} threw unload() exception
-http.100=The client may continue ({0}).
-http.101=The server is switching protocols according to the "Upgrade" header ({0}).
-http.201=The request succeeded and a new resource ({0}) has been created on the
server.
-http.202=This request was accepted for processing, but has not been completed ({0}).
-http.203=The meta information presented by the client did not originate from the
server ({0}).
-http.204=The request succeeded but there is no information to return ({0}).
-http.205=The client should reset the document view which caused this request to be
sent ({0}).
-http.206=The server has fulfilled a partial GET request for this resource ({0}).
-http.207=Multiple status values have been returned ({0}).
-http.300=The requested resource ({0}) corresponds to any one of a set of
representations, each with its own specific location.
-http.301=The requested resource ({0}) has moved permanently to a new location.
-http.302=The requested resource ({0}) has moved temporarily to a new location.
-http.303=The response to this request can be found under a different URI ({0}).
-http.304=The requested resource ({0}) is available and has not been modified.
-http.305=The requested resource ({0}) must be accessed through the proxy given by
the "Location" header.
-http.400=The request sent by the client was syntactically incorrect ({0}).
-http.401=This request requires HTTP authentication ({0}).
-http.402=Payment is required for access to this resource ({0}).
-http.403=Access to the specified resource ({0}) has been forbidden.
-http.404=The requested resource ({0}) is not available.
-http.405=The specified HTTP method is not allowed for the requested resource ({0}).
-http.406=The resource identified by this request is only capable of generating
responses with characteristics not acceptable according to the request "accept"
headers ({0}).
-http.407=The client must first authenticate itself with the proxy ({0}).
-http.408=The client did not produce a request within the time that the server was
prepared to wait ({0}).
-http.409=The request could not be completed due to a conflict with the current
state of the resource ({0}).
-http.410=The requested resource ({0}) is no longer available, and no forwarding
address is known.
-http.411=This request cannot be handled without a defined content length ({0}).
-http.412=A specified precondition has failed for this request ({0}).
-http.413=The request entity is larger than the server is willing or able to process.
-http.414=The server refused this request because the request URI was too long ({0}).
-http.415=The server refused this request because the request entity is in a format
not supported by the requested resource for the requested method ({0}).
-http.416=The requested byte range cannot be satisfied ({0}).
-http.417=The expectation given in the "Expect" request header ({0}) could not be
fulfilled.
-http.422=The server understood the content type and syntax of the request but was
unable to process the contained instructions ({0}).
-http.423=The source or destination resource of a method is locked ({0}).
-http.500=The server encountered an internal error ({0}) that prevented it from
fulfilling this request.
-http.501=The server does not support the functionality needed to fulfill this
request ({0}).
-http.502=This server received an invalid response from a server it consulted when
acting as a proxy or gateway ({0}).
-http.503=The requested service ({0}) is not currently available.
-http.504=The server received a timeout from an upstream server while acting as a
gateway or proxy ({0}).
-http.505=The server does not support the requested HTTP protocol version ({0}).
-http.507=The resource does not have sufficient space to record the state of the
resource after execution of this method ({0}).
+applicationContext.attributeEvent=Exception thrown by attributes event listener
+applicationContext.requestDispatcher.iae=Path {0} does not start with a "/"
character
+applicationDispatcher.allocateException=Allocate exception for servlet {0}
+applicationDispatcher.deallocateException=Deallocate exception for servlet {0}
+applicationDispatcher.forward.ise=Cannot forward after response has been committed
+applicationDispatcher.forward.throw=Forwarded resource threw an exception
+applicationDispatcher.include.throw=Included resource threw an exception
+applicationDispatcher.isUnavailable=Servlet {0} is currently unavailable
+applicationDispatcher.serviceException=Servlet.service() for servlet {0} threw
exception
+applicationRequest.badParent=Cannot locate parent Request implementation
+applicationRequest.badRequest=Request is not a javax.servlet.ServletRequestWrapper
+applicationResponse.badParent=Cannot locate parent Response implementation
+applicationResponse.badResponse=Response is not a
javax.servlet.ServletResponseWrapper
+containerBase.addDefaultMapper=Exception configuring default mapper of class {0}
+containerBase.alreadyStarted=Container has already been started
+containerBase.notConfigured=No basic Valve has been configured
+containerBase.notStarted=Container has not been started
+filterChain.filter=Filter execution threw an exception
+filterChain.servlet=Servlet execution threw an exception
+httpContextMapper.container=This container is not a StandardContext
+httpEngineMapper.container=This container is not a StandardEngine
+httpHostMapper.container=This container is not a StandardHost
+interceptorValve.alreadyStarted=InterceptorValve has already been started
+interceptorValve.notStarted=InterceptorValve has not yet been started
+standardContext.alreadyStarted=Context has already been started
+standardContext.applicationListener=Error configuring application listener of class
{0}
+standardContext.applicationSkipped=Skipped installing application listeners due to
previous error(s)
+standardContext.badRequest=Invalid request path ({0}).
+standardContext.errorPage.error=Error page location {0} must start with a '/'
+standardContext.errorPage.required=ErrorPage cannot be null
+standardContext.errorPage.warning=WARNING: Error page location {0} must start with
a '/' in Servlet 2.3
+standardContext.filterMap.either=Filter mapping must specify either a <url-pattern>
or a <servlet-name>
+standardContext.filterMap.name=Filter mapping specifies an unknown filter name {0}
+standardContext.filterMap.pattern=Invalid <url-pattern> {0} in filter mapping
+standardContext.filterStart=Exception starting filter {0}
+standardContext.isUnavailable=This application is not currently available
+standardContext.listenerStart=Exception sending context initialized event to
listener instance of class {0}
+standardContext.listenerStop=Exception sending context destroyed event to listener
instance of class {0}
+standardContext.loginConfig.errorPage=Form error page {0} must start with a '/'
+standardContext.loginConfig.errorWarning=WARNING: Form error page {0} must start
with a '/' in Servlet 2.3
+standardContext.loginConfig.loginPage=Form login page {0} must start with a '/'
+standardContext.loginConfig.loginWarning=WARNING: Form login page {0} must start
with a '/' in Servlet 2.3
+standardContext.loginConfig.required=LoginConfig cannot be null
+standardContext.managerLoad=Exception loading sessions from persistent storage
+standardContext.managerUnload=Exception unloading sessions to persistent storage
+standardContext.mappingError=MAPPING configuration error for relative URI {0}
+standardContext.notFound=The requested resource ({0}) is not available.
+standardContext.notReloadable=Reloading is disabled on this Context
+standardContext.notStarted=Context has not yet been started
+standardContext.notWrapper=Child of a Context must be a Wrapper
+standardContext.parameter.duplicate=Duplicate context initialization parameter {0}
+standardContext.parameter.required=Both parameter name and parameter value are
required
+standardContext.reloadingCompleted=Reloading this Context is completed
+standardContext.reloadingStarted=Reloading this Context has started
+standardContext.securityConstraint.pattern=Invalid <url-pattern> {0} in security
constraint
+standardContext.servletMap.name=Servlet mapping specifies an unknown servlet name
{0}
+standardContext.servletMap.pattern=Invalid <url-pattern> {0} in servlet mapping
+standardContext.startingLoader=Exception starting Loader
+standardContext.startingManager=Exception starting Manager
+standardContext.startingWrapper=Exception starting Wrapper for servlet {0}
+standardContext.stoppingLoader=Exception stopping Loader
+standardContext.stoppingManager=Exception stopping Manager
+standardContext.stoppingWrapper=Exception stopping Wrapper for servlet {0}
+standardContext.urlDecode=Cannot URL decode request path {0}
+standardContext.urlPattern.patternWarning=WARNING: URL pattern {0} must start with
a '/' in Servlet 2.3
+standardContext.wrapper.error=JSP file {0} must start with a '/'
+standardContext.wrapper.warning=WARNING: JSP file {0} must start with a '/' in
Servlet 2.3
+standardContext.invalidEnvEntryValue={0} environment entry has an invalid value for
specified type
+standardContext.invalidEnvEntryType={0} environment entry has an invalid type
+standardContext.bindFailed=Bind naming operation failed : {0}
+standardContext.namingInitFailed=Error initializing naming context for context {0}
+standardEngine.alreadyStarted=Engine has already been started
+standardEngine.mappingError=MAPPING configuration error for server name {0}
+standardEngine.notHost=Child of an Engine must be a Host
+standardEngine.notParent=Engine cannot have a parent Container
+standardEngine.notStarted=Engine has not yet been started
+standardEngine.unfoundHost=Virtual host {0} not found
+standardEngine.unknownHost=No server host specified in this request
+standardHost.accessBase=Cannot access document base directory {0}
+standardHost.alreadyStarted=Host has already been started
+standardHost.appBase=Application base directory {0} does not exist
+standardHost.installing=Installing web application at context path {0} from URL {1}
+standardHost.installError=Error deploying application at context path {0}
+standardHost.docBase=Document base directory {0} already exists
+standardHost.mappingError=MAPPING configuration error for request URI {0}
+standardHost.noContext=No Context configured to process this request
+standardHost.noHost=No Host configured to process this request
+standardHost.notContext=Child of a Host must be a Context
+standardHost.notStarted=Host has not yet been started
+standardHost.nullName=Host name is required
+standardHost.pathFormat=Invalid context path: {0}
+standardHost.pathMissing=Context path {0} is not currently in use
+standardHost.pathRequired=Context path is required
+standardHost.pathUsed=Context path {0} is already in use
+standardHost.removing=Removing web application at context path {0}
+standardHost.removeError=Error removing application at context path {0}
+standardHost.start=Starting web application at context path {0}
+standardHost.stop=Stopping web application at context path {0}
+standardHost.unfoundContext=Cannot find context for request URI {0}
+standardHost.warRequired=URL to web application archive is required
+standardHost.warURL=Invalid URL for web application archive: {0}
+standardPipeline.alreadyStarted=Pipeline has already been started
+standardPipeline.notStarted=Pipeline has not been started
+standardPipeline.noValve=No more Valves in the Pipeline processing this request
+standardServer.addContainer.ise=No connectors available to associate this container
with
+standardServer.start.connectors=At least one connector is not associated with any
container
+standardServer.start.started=This server has already been started
+standardServer.stop.notStarted=This server has not yet been started
+standardService.start.name=Starting service {0}
+standardService.start.started=This service has already been started
+standardService.stop.name=Stopping service {0}
+standardService.stop.notStarted=This service has not yet been started
+standardWrapper.allocate=Error allocating a servlet instance
+standardWrapper.allocateException=Allocate exception for servlet {0}
+standardWrapper.containerServlet=Loading container servlet {0}
+standardWrapper.createFilters=Create filters exception for servlet {0}
+standardWrapper.deallocateException=Deallocate exception for servlet {0}
+standardWrapper.destroyException=Servlet.destroy() for servlet {0} threw exception
+standardWrapper.exception0=Tomcat Exception Report
+standardWrapper.exception1=A Servlet Exception Has Occurred
+standardWrapper.exception2=Exception Report:
+standardWrapper.exception3=Root Cause:
+standardWrapper.initException=Servlet.init() for servlet {0} threw exception
+standardWrapper.instantiate=Error instantiating servlet class {0}
+standardWrapper.isUnavailable=Servlet {0} is currently unavailable
+standardWrapper.jasperLoader=Using Jasper classloader for servlet {0}
+standardWrapper.jspFile.format=JSP file {0} does not start with a '/' character
+standardWrapper.loadException=Servlet {0} threw load() exception
+standardWrapper.missingClass=Wrapper cannot find servlet class {0} or a class it
depends on
+standardWrapper.missingLoader=Wrapper cannot find Loader for servlet {0}
+standardWrapper.notChild=Wrapper container may not have child containers
+standardWrapper.notClass=No servlet class has been specified for servlet {0}
+standardWrapper.notContext=Parent container of a Wrapper must be a Context
+standardWrapper.notServlet=Class {0} is not a Servlet
+standardWrapper.releaseFilters=Release filters exception for servlet {0}
+standardWrapper.serviceException=Servlet.service() for servlet {0} threw exception
+standardWrapper.statusHeader=HTTP Status {0} - {1}
+standardWrapper.statusTitle=Tomcat Error Report
+standardWrapper.unavailable=Marking servlet {0} as unavailable
+standardWrapper.unloadException=Servlet {0} threw unload() exception
+http.100=The client may continue ({0}).
+http.101=The server is switching protocols according to the "Upgrade" header ({0}).
+http.201=The request succeeded and a new resource ({0}) has been created on the
server.
+http.202=This request was accepted for processing, but has not been completed
({0}).
+http.203=The meta information presented by the client did not originate from the
server ({0}).
+http.204=The request succeeded but there is no information to return ({0}).
+http.205=The client should reset the document view which caused this request to be
sent ({0}).
+http.206=The server has fulfilled a partial GET request for this resource ({0}).
+http.207=Multiple status values have been returned ({0}).
+http.300=The requested resource ({0}) corresponds to any one of a set of
representations, each with its own specific location.
+http.301=The requested resource ({0}) has moved permanently to a new location.
+http.302=The requested resource ({0}) has moved temporarily to a new location.
+http.303=The response to this request can be found under a different URI ({0}).
+http.304=The requested resource ({0}) is available and has not been modified.
+http.305=The requested resource ({0}) must be accessed through the proxy given by
the "Location" header.
+http.400=The request sent by the client was syntactically incorrect ({0}).
+http.401=This request requires HTTP authentication ({0}).
+http.402=Payment is required for access to this resource ({0}).
+http.403=Access to the specified resource ({0}) has been forbidden.
+http.404=The requested resource ({0}) is not available.
+http.405=The specified HTTP method is not allowed for the requested resource ({0}).
+http.406=The resource identified by this request is only capable of generating
responses with characteristics not acceptable according to the request "accept"
headers ({0}).
+http.407=The client must first authenticate itself with the proxy ({0}).
+http.408=The client did not produce a request within the time that the server was
prepared to wait ({0}).
+http.409=The request could not be completed due to a conflict with the current
state of the resource ({0}).
+http.410=The requested resource ({0}) is no longer available, and no forwarding
address is known.
+http.411=This request cannot be handled without a defined content length ({0}).
+http.412=A specified precondition has failed for this request ({0}).
+http.413=The request entity is larger than the server is willing or able to
process.
+http.414=The server refused this request because the request URI was too long
({0}).
+http.415=The server refused this request because the request entity is in a format
not supported by the requested resource for the requested method ({0}).
+http.416=The requested byte range cannot be satisfied ({0}).
+http.417=The expectation given in the "Expect" request header ({0}) could not be
fulfilled.
+http.422=The server understood the content type and syntax of the request but was
unable to process the contained instructions ({0}).
+http.423=The source or destination resource of a method is locked ({0}).
+http.500=The server encountered an internal error ({0}) that prevented it from
fulfilling this request.
+http.501=The server does not support the functionality needed to fulfill this
request ({0}).
+http.502=This server received an invalid response from a server it consulted when
acting as a proxy or gateway ({0}).
+http.503=The requested service ({0}) is not currently available.
+http.504=The server received a timeout from an upstream server while acting as a
gateway or proxy ({0}).
+http.505=The server does not support the requested HTTP protocol version ({0}).
+http.507=The resource does not have sufficient space to record the state of the
resource after execution of this method ({0}).
1.2 +20 -3
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextMapper.java
Index: StandardContextMapper.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextMapper.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- StandardContextMapper.java 2000/08/11 23:40:45 1.1
+++ StandardContextMapper.java 2001/03/30 19:33:37 1.2
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextMapper.java,v
1.1 2000/08/11 23:40:45 craigmcc Exp $
- * $Revision: 1.1 $
- * $Date: 2000/08/11 23:40:45 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextMapper.java,v
1.2 2001/03/30 19:33:37 craigmcc Exp $
+ * $Revision: 1.2 $
+ * $Date: 2001/03/30 19:33:37 $
*
* ====================================================================
*
@@ -65,6 +65,7 @@
package org.apache.catalina.core;
+import java.net.URLDecoder;
import javax.servlet.http.HttpServletRequest;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
@@ -84,7 +85,7 @@
* <code>StandardContext</code>, because it relies on internal APIs.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.1 $ $Date: 2000/08/11 23:40:45 $
+ * @version $Revision: 1.2 $ $Date: 2001/03/30 19:33:37 $
*/
public final class StandardContextMapper
@@ -176,6 +177,9 @@
*
* @param request Request being processed
* @param update Update the Request to reflect the mapping selection?
+ *
+ * @exception IllegalArgumentException if the relative portion of the
+ * path cannot be URL decoded
*/
public Container map(Request request, boolean update) {
@@ -195,6 +199,19 @@
context.log("Mapping contextPath='" + contextPath +
"' with requestURI='" + requestURI +
"' and relativeURI='" + relativeURI + "'");
+
+ // Decode the relative URI, because we will ultimately return both
+ // servletPath and pathInfo as decoded strings
+ try {
+ relativeURI = URLDecoder.decode(relativeURI);
+ if (debug >= 1)
+ context.log("Decoded relativeURI='" + relativeURI + "'");
+ } catch (Exception e) {
+ // context.log(sm.getString("standardContext.urlDecode",
+ // relativeURI), e);
+ throw new IllegalArgumentException
+ (sm.getString("standardContext.urlDecode", relativeURI));
+ }
// Apply the standard request URI mapping rules from the specification
Wrapper wrapper = null;
1.9 +53 -6
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
Index: StandardContextValve.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextValve.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- StandardContextValve.java 2001/03/14 02:17:21 1.8
+++ StandardContextValve.java 2001/03/30 19:33:37 1.9
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextValve.java,v
1.8 2001/03/14 02:17:21 craigmcc Exp $
- * $Revision: 1.8 $
- * $Date: 2001/03/14 02:17:21 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextValve.java,v
1.9 2001/03/30 19:33:37 craigmcc Exp $
+ * $Revision: 1.9 $
+ * $Date: 2001/03/30 19:33:37 $
*
* ====================================================================
*
@@ -79,6 +79,7 @@
import org.apache.catalina.Session;
import org.apache.catalina.ValveContext;
import org.apache.catalina.Wrapper;
+import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.StringManager;
import org.apache.catalina.valves.ValveBase;
@@ -91,7 +92,7 @@
* when processing HTTP requests.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.8 $ $Date: 2001/03/14 02:17:21 $
+ * @version $Revision: 1.9 $ $Date: 2001/03/30 19:33:37 $
*/
final class StandardContextValve
@@ -185,7 +186,18 @@
}
// Select the Wrapper to be used for this Request
- Wrapper wrapper = (Wrapper) context.map(request, true);
+ Wrapper wrapper = null;
+ try {
+ wrapper = (Wrapper) context.map(request, true);
+ } catch (IllegalArgumentException e) {
+ badRequest(requestURI, (HttpServletResponse) response.getResponse());
+ try {
+ response.finishResponse();
+ } catch (IOException f) {
+ ;
+ }
+ return;
+ }
if (wrapper == null) {
notFound(requestURI, (HttpServletResponse) response.getResponse());
try {
@@ -226,6 +238,41 @@
/**
+ * Report a "bad request" error for the specified resource. FIXME: We
+ * should really be using the error reporting settings for this web
+ * application, but currently that code runs at the wrapper level rather
+ * than the context level.
+ *
+ * @param requestURI The request URI for the requested resource
+ * @param response The response we are creating
+ */
+ private void badRequest(String requestURI, HttpServletResponse response) {
+
+ try {
+ requestURI = RequestUtil.filter(requestURI);
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ response.setContentType("text/html");
+ PrintWriter writer = response.getWriter();
+ writer.println("<html>");
+ writer.println("<head>");
+ writer.println("<title>Tomcat Error Report</title>");
+ writer.println("<body bgcolor=\"white\">");
+ writer.println("<br><br>");
+ writer.println("<h1>HTTP Status 400 - " + requestURI + "</h1>");
+ writer.println(sm.getString("standardContext.badRequest",
+ requestURI));
+ writer.println("</body>");
+ writer.println("</html>");
+ writer.flush();
+ } catch (IllegalStateException e) {
+ ;
+ } catch (IOException e) {
+ ;
+ }
+
+ }
+
+ /**
* Report a "not found" error for the specified resource. FIXME: We
* should really be using the error reporting settings for this web
* application, but currently that code runs at the wrapper level rather
@@ -237,8 +284,8 @@
private void notFound(String requestURI, HttpServletResponse response) {
try {
+ requestURI = RequestUtil.filter(requestURI);
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
- // response.setMessage(requestURI);
response.setContentType("text/html");
PrintWriter writer = response.getWriter();
writer.println("<html>");
1.23 +6 -43
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java
Index: StandardWrapperValve.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- StandardWrapperValve.java 2001/03/17 20:07:41 1.22
+++ StandardWrapperValve.java 2001/03/30 19:33:37 1.23
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
1.22 2001/03/17 20:07:41 craigmcc Exp $
- * $Revision: 1.22 $
- * $Date: 2001/03/17 20:07:41 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
1.23 2001/03/30 19:33:37 craigmcc Exp $
+ * $Revision: 1.23 $
+ * $Date: 2001/03/30 19:33:37 $
*
* ====================================================================
*
@@ -93,6 +93,7 @@
import org.apache.catalina.deploy.FilterDef;
import org.apache.catalina.deploy.FilterMap;
import org.apache.catalina.util.InstanceSupport;
+import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.StringManager;
import org.apache.catalina.valves.ValveBase;
@@ -102,7 +103,7 @@
* <code>StandardWrapper</code> container implementation.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.22 $ $Date: 2001/03/17 20:07:41 $
+ * @version $Revision: 1.23 $ $Date: 2001/03/30 19:33:37 $
*/
final class StandardWrapperValve
@@ -622,44 +623,6 @@
/**
- * Filter the specified message string for characters that are sensitive
- * in HTML. This avoids potential attacks caused by including JavaScript
- * codes in the request URL that is often reported in error messages.
- *
- * @param message The message string to be filtered
- */
- private String filter(String message) {
-
- if (message == null)
- return (null);
-
- char content[] = new char[message.length()];
- message.getChars(0, message.length(), content, 0);
- StringBuffer result = new StringBuffer(content.length + 50);
- for (int i = 0; i < content.length; i++) {
- switch (content[i]) {
- case '<':
- result.append("<");
- break;
- case '>':
- result.append(">");
- break;
- case '&':
- result.append("&");
- break;
- case '"':
- result.append(""");
- break;
- default:
- result.append(content[i]);
- }
- }
- return (result.toString());
-
- }
-
-
- /**
* Log a message on the Logger associated with our Container (if any)
*
* @param message Message to be logged
@@ -811,7 +774,7 @@
HttpServletResponse hres =
(HttpServletResponse) response.getResponse();
int statusCode = hresponse.getStatus();
- String message = filter(hresponse.getMessage());
+ String message = RequestUtil.filter(hresponse.getMessage());
if (message == null)
message = "";
1.15 +42 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/RequestUtil.java
Index: RequestUtil.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/RequestUtil.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- RequestUtil.java 2001/03/30 06:08:20 1.14
+++ RequestUtil.java 2001/03/30 19:33:39 1.15
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/RequestUtil.java,v
1.14 2001/03/30 06:08:20 remm Exp $
- * $Revision: 1.14 $
- * $Date: 2001/03/30 06:08:20 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/RequestUtil.java,v
1.15 2001/03/30 19:33:39 craigmcc Exp $
+ * $Revision: 1.15 $
+ * $Date: 2001/03/30 19:33:39 $
*
* ====================================================================
*
@@ -78,7 +78,7 @@
*
* @author Craig R. McClanahan
* @author Tim Tye
- * @version $Revision: 1.14 $ $Date: 2001/03/30 06:08:20 $
+ * @version $Revision: 1.15 $ $Date: 2001/03/30 19:33:39 $
*/
public final class RequestUtil {
@@ -144,6 +144,44 @@
}
return (buf.toString());
+ }
+
+
+ /**
+ * Filter the specified message string for characters that are sensitive
+ * in HTML. This avoids potential attacks caused by including JavaScript
+ * codes in the request URL that is often reported in error messages.
+ *
+ * @param message The message string to be filtered
+ */
+ public static String filter(String message) {
+
+ if (message == null)
+ return (null);
+
+ char content[] = new char[message.length()];
+ message.getChars(0, message.length(), content, 0);
+ StringBuffer result = new StringBuffer(content.length + 50);
+ for (int i = 0; i < content.length; i++) {
+ switch (content[i]) {
+ case '<':
+ result.append("<");
+ break;
+ case '>':
+ result.append(">");
+ break;
+ case '&':
+ result.append("&");
+ break;
+ case '"':
+ result.append(""");
+ break;
+ default:
+ result.append(content[i]);
+ }
+ }
+ return (result.toString());
+
}
