nacho 01/09/22 20:26:32
Modified: src/share/org/apache/tomcat/modules/mappers
DecodeInterceptor.java
src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Better messages for some 403 statuses, returned when unsafe URLS
or when trying to access WEB-INF dir.
Revision Changes Path
1.8 +3 -2
jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java
Index: DecodeInterceptor.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- DecodeInterceptor.java 2001/08/12 01:47:59 1.7
+++ DecodeInterceptor.java 2001/09/23 03:26:32 1.8
@@ -296,9 +296,10 @@
// throw new RuntimeException("ASSERT: ? in requestURI");
// If path is unsafe, return forbidden
- if( safe && !isSafeURI(pathMB) )
+ if( safe && !isSafeURI(pathMB) ){
+ req.setAttribute("javax.servlet.error.message","Unsafe URL");
return 403;
-
+ }
if( normalize &&
( pathMB.indexOf("//") >= 0 ||
pathMB.indexOf("/." ) >=0
1.17 +4 -4
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- AccessInterceptor.java 2001/09/14 04:13:35 1.16
+++ AccessInterceptor.java 2001/09/23 03:26:32 1.17
@@ -258,10 +258,10 @@
int ctxPathLen=ctxPath.length();
// quick test
- if( reqURIMB.startsWithIgnoreCase( "/META-INF", ctxPathLen) ) {
- return 403;
- }
- if( reqURIMB.startsWithIgnoreCase( "/WEB-INF", ctxPathLen) ) {
+ if( reqURIMB.startsWithIgnoreCase( "/META-INF", ctxPathLen) ||
+ reqURIMB.startsWithIgnoreCase( "/WEB-INF", ctxPathLen) ) {
+ req.setAttribute("javax.servlet.error.message",
+ "Forbidden directory");
return 403;
}
