Author: csutherl Date: Wed Feb 8 19:40:51 2017 New Revision: 1782240 URL: http://svn.apache.org/viewvc?rev=1782240&view=rev Log: Followup commit for r1782037, adding warnings and StringManager
Modified: tomcat/tc8.5.x/trunk/conf/catalina.properties tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml Modified: tomcat/tc8.5.x/trunk/conf/catalina.properties URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/conf/catalina.properties?rev=1782240&r1=1782239&r2=1782240&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/conf/catalina.properties (original) +++ tomcat/tc8.5.x/trunk/conf/catalina.properties Wed Feb 8 19:40:51 2017 @@ -148,4 +148,5 @@ tomcat.util.buf.StringCache.byte.enabled #tomcat.util.buf.StringCache.cacheSize=5000 # Allow for changes to HTTP request validation +# WARNING: Using this option will expose the server to CVE-2016-6816 #tomcat.util.http.parser.HttpParser.requestTargetAllow=| Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?rev=1782240&r1=1782239&r2=1782240&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java Wed Feb 8 19:40:51 2017 @@ -22,6 +22,8 @@ import java.io.StringReader; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; +import org.apache.tomcat.util.res.StringManager; + /** * HTTP header value parser implementation. Parsing HTTP headers as per RFC2616 * is not always as simple as it first appears. For headers that only use tokens @@ -37,6 +39,8 @@ import org.apache.juli.logging.LogFactor */ public class HttpParser { + private static final StringManager sm = StringManager.getManager(HttpParser.class); + private static final Log log = LogFactory.getLog(HttpParser.class); private static final int ARRAY_SIZE = 128; @@ -57,8 +61,7 @@ public class HttpParser { if (c == '{' || c == '}' || c == '|') { REQUEST_TARGET_ALLOW[c] = true; } else { - log.warn("HttpParser: Character '" + c + "' is not allowed and will continue " - + "being rejected."); + log.warn(sm.getString("httpparser.invalidRequestTargetCharacter", c)); } } } Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties?rev=1782240&r1=1782239&r2=1782240&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/LocalStrings.properties Wed Feb 8 19:40:51 2017 @@ -17,4 +17,5 @@ authorization.unknownType=Unknown Type [ cookie.fallToDebug=Note: further occurrences of this error will be logged at DEBUG level. cookie.invalidCookieValue=A cookie header was received [{0}] that contained an invalid cookie. That cookie will be ignored. cookie.invalidCookieVersion=A cookie header was received using an unrecognised cookie version of [{0}]. The header and the cookies it contains will be ignored. -cookie.valueNotPresent=<not present> \ No newline at end of file +cookie.valueNotPresent=<not present> +httpparser.invalidRequestTargetCharacter=Character [{0}] is not allowed and will continue to be rejected. Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml?rev=1782240&r1=1782239&r2=1782240&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml (original) +++ tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml Wed Feb 8 19:40:51 2017 @@ -644,6 +644,8 @@ These characters would normally result in a 400 status.</p> <p>The acceptable characters for this property are: <code>|</code>, <code>{</code> , and <code>}</code></p> + <p><strong>WARNING</strong>: Use of this option will expose the server to CVE-2016-6816. + </p> <p>If not specified, the default value of <code>null</code> will be used.</p> </property> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org