Greetings, There is a bug in ByteChunk.indexOf which manifests itself in the safe url parsing. That is, BC.indexOf returns an offset relative to the start of the byte buffer, rather than the internal starting point.
So, when safe url checks for indexOf('%'), depending on the length of the method name, a number of %'s at the beginning of the URL may be missed. So, the following URLs would be tagged as safe (currently): GET /wannamak/%25%5C A quick fix is to use indexOf("%"), which converts the relevant part of the byte array to a string, so the offset is correct. However, I think that it would be better to correct BC.indexOf in the following manner: Index: ByteChunk.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/buf/ByteChun k.java,v retrieving revision 1.8 diff -u -r1.8 ByteChunk.java --- ByteChunk.java 19 Jul 2001 05:49:02 -0000 1.8 +++ ByteChunk.java 5 Feb 2002 17:36:42 -0000 @@ -626,7 +626,8 @@ * @param s the string */ public int indexOf(char c, int starting) { - return indexOf( buff, start+starting, end, c); + int ret = indexOf( buff, start+starting, end, c); + return (ret >= start) ? ret - start : -1; } public static int indexOf( byte bytes[], int off, int end, char qq ) I will commit this later today if I hear no objection. Regards, Keith -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>