keith 02/04/23 12:49:40 Modified: src/share/org/apache/tomcat/modules/mappers DecodeInterceptor.java Log: Our security measure is too agressive; incorrectly mangles proxy-style urls. Check for http/https exceptions when removing double slashes. Revision Changes Path 1.16 +11 -2 jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java Index: DecodeInterceptor.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- DecodeInterceptor.java 2 Feb 2002 04:48:40 -0000 1.15 +++ DecodeInterceptor.java 23 Apr 2002 19:49:40 -0000 1.16 @@ -194,7 +194,10 @@ // remove // for( i=start, j=start; i<end-1; i++ ) { if( buff[i]== '/' && buff[i+1]=='/' ) { - while( buff[i+1]=='/' ) i++; + if (! (i == start + 5 && bc.startsWith(HTTP)) && + ! (i == start + 6 && bc.startsWith(HTTPS))) { + while( buff[i+1]=='/' ) i++; + } } buff[j++]=buff[i]; } @@ -306,7 +309,10 @@ // remove // for( i=start, j=start; i<end-1; i++ ) { if( buff[i]== '/' && buff[i+1]=='/' ) { - while( buff[i+1]=='/' ) i++; + if (! (i == start + 5 && str.startsWith("http:")) && + ! (i == start + 6 && str.startsWith("https:"))) { + while( buff[i+1]=='/' ) i++; + } } buff[j++]=buff[i]; } @@ -619,5 +625,8 @@ } } + + private static final byte[] HTTP = new byte[] { 'h','t','t','p',':'}; + private static final byte[] HTTPS = new byte[] { 'h','t','t','p','s',':'}; }
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>