craigmcc 01/05/11 16:20:12
Modified: catalina/src/share/org/apache/catalina/core
LocalStrings.properties StandardContextMapper.java
Log:
Return error 400 if the user uses invalid characters (including %00 and
%7f) in a URI. This fixes a security vulnerability, present in 4.0-b4,
that exposes JSP source code when you request:
http://localhost:8080/examples/jsp/num/numguess.jsp%00
This is the same vulnerability that Marc just patched in 3.2.2.
Revision Changes Path
1.33 +1 -0
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/LocalStrings.properties
Index: LocalStrings.properties
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/LocalStrings.properties,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- LocalStrings.properties 2001/05/04 05:07:07 1.32
+++ LocalStrings.properties 2001/05/11 23:20:09 1.33
@@ -67,6 +67,7 @@
standardContext.stoppingWrapper=Exception stopping Wrapper for servlet {0}
standardContext.urlDecode=Cannot URL decode request path {0}
standardContext.urlPattern.patternWarning=WARNING: URL pattern {0} must start with
a '/' in Servlet 2.3
+standardContext.urlValidate=Cannot validate URL decoded request path {0}
standardContext.wrapper.error=JSP file {0} must start with a '/'
standardContext.wrapper.warning=WARNING: JSP file {0} must start with a '/' in
Servlet 2.3
standardContext.invalidEnvEntryValue={0} environment entry has an invalid value for
specified type
1.4 +31 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextMapper.java
Index: StandardContextMapper.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextMapper.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- StandardContextMapper.java 2001/03/30 20:44:20 1.3
+++ StandardContextMapper.java 2001/05/11 23:20:10 1.4
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextMapper.java,v
1.3 2001/03/30 20:44:20 craigmcc Exp $
- * $Revision: 1.3 $
- * $Date: 2001/03/30 20:44:20 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextMapper.java,v
1.4 2001/05/11 23:20:10 craigmcc Exp $
+ * $Revision: 1.4 $
+ * $Date: 2001/05/11 23:20:10 $
*
* ====================================================================
*
@@ -85,7 +85,7 @@
* <code>StandardContext</code>, because it relies on internal APIs.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.3 $ $Date: 2001/03/30 20:44:20 $
+ * @version $Revision: 1.4 $ $Date: 2001/05/11 23:20:10 $
*/
public final class StandardContextMapper
@@ -204,6 +204,7 @@
// servletPath and pathInfo as decoded strings
try {
relativeURI = RequestUtil.URLDecode(relativeURI);
+ validate(relativeURI);
if (debug >= 1)
context.log("Decoded relativeURI='" + relativeURI + "'");
} catch (Exception e) {
@@ -300,6 +301,32 @@
((HttpRequest) request).setPathInfo(pathInfo);
}
return (wrapper);
+
+ }
+
+
+ // -------------------------------------------------------- Private Methods
+
+
+ /**
+ * Throw an exception if the specified relative URI (assumed to be already
+ * decoded) contains any control characters. See RFC 2396, Section 2.4.3,
+ * for a discussion of why these characters are not allowed in URIs.
+ *
+ * @param relativeURI The decoded relative URI to be validated
+ *
+ * @exception IllegalArgumentException if the specified relative URI
+ * contains invalid characters
+ */
+ private void validate(String relativeURI) {
+
+ int n = relativeURI.length();
+ for (int i = 0; i < n; i++) {
+ char c = relativeURI.charAt(i);
+ if ((c < '\u0020') || (c == '\u007f'))
+ throw new IllegalArgumentException
+ (sm.getString("standardContext.urlValidate", relativeURI));
+ }
}