This looks good to me. Also, CharChunk looks like it has the same problem. Could you go ahead and fix that on as well. Thanks.
Cheers, Larry > -----Original Message----- > From: Keith Wannamaker [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 05, 2002 12:45 PM > To: Tomcat Developers List > Cc: [EMAIL PROTECTED] > Subject: Bug in safe url parsing > > > Greetings, > > There is a bug in ByteChunk.indexOf which manifests itself > in the safe url parsing. That is, BC.indexOf returns an > offset relative to the start of the byte buffer, rather > than the internal starting point. > > So, when safe url checks for indexOf('%'), depending on the > length of the method name, a number of %'s at the beginning > of the URL may be missed. > > So, the following URLs would be tagged as safe (currently): > GET /wannamak/%25%5C > > A quick fix is to use indexOf("%"), which converts the > relevant part of the byte array to a string, so the offset > is correct. > > However, I think that it would be better to correct BC.indexOf > in the following manner: > > Index: ByteChunk.java > =================================================================== > RCS file: > /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/buf/ByteChun > k.java,v > retrieving revision 1.8 > diff -u -r1.8 ByteChunk.java > --- ByteChunk.java 19 Jul 2001 05:49:02 -0000 1.8 > +++ ByteChunk.java 5 Feb 2002 17:36:42 -0000 > @@ -626,7 +626,8 @@ > * @param s the string > */ > public int indexOf(char c, int starting) { > - return indexOf( buff, start+starting, end, c); > + int ret = indexOf( buff, start+starting, end, c); > + return (ret >= start) ? ret - start : -1; > } > > public static int indexOf( byte bytes[], int off, int > end, char qq ) > > I will commit this later today if I hear no objection. > > Regards, > Keith > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
