RE: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http HttpProcessor.java

[Marc Saegesser]

> remm        01/07/16 18:04:29
>
>   Modified:    catalina/src/share/org/apache/catalina/connector/http
>                         HttpProcessor.java
>   Log:
>   - %25, %2F, %2E and %5C are now forbidden in the request URI. I
> hope this
>     is not a problem with multi-byte characters.
>   - Medium risk fix : always finish the response. That could lead
> to connection
>     management problems. That has to be changed since otherwise
> no HTTP error
>     report would be generated when something bad happened when parsing
>     the request.
>
<snip>

>   +        // Prevent encoding '%', '/', '.' and '\', which are
> special reserved
>   +        // characters
>   +        if ((normalized.indexOf("%25") > 0) ||
> (normalized.indexOf("%2F") > 0)
>   +            || (normalized.indexOf("%2E") > 0)
>   +            || (normalized.indexOf("%5C") > 0)) {
>   +            return null;
>   +        }

This code will do a case sensitive comparison.  So, for example, %2E will be
forbidden, but %2e will be allowed.  Escapes are not case sensitive.