This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new b08b3ab841 Align URI normalization between RequestUtil and
CoyoteAdapter
b08b3ab841 is described below
commit b08b3ab8411f714df95e7d5eb9f04e1914c01c98
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Apr 7 12:26:50 2026 +0100
Align URI normalization between RequestUtil and CoyoteAdapter
---
java/org/apache/catalina/connector/CoyoteAdapter.java | 2 ++
java/org/apache/tomcat/util/http/RequestUtil.java | 8 +++++++-
test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java | 3 +++
webapps/docs/changelog.xml | 4 ++++
4 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java
b/java/org/apache/catalina/connector/CoyoteAdapter.java
index 82cee3f227..57f57e5ff1 100644
--- a/java/org/apache/catalina/connector/CoyoteAdapter.java
+++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
@@ -1112,6 +1112,8 @@ public class CoyoteAdapter implements Adapter {
*/
public static boolean normalize(MessageBytes uriMB, boolean
allowBackslash) {
+ // Keep behaviour aligned with RequestUtil.normalize()
+
ByteChunk uriBC = uriMB.getByteChunk();
final byte[] b = uriBC.getBytes();
final int start = uriBC.getStart();
diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java
b/java/org/apache/tomcat/util/http/RequestUtil.java
index 3376ed2f1b..071e487228 100644
--- a/java/org/apache/tomcat/util/http/RequestUtil.java
+++ b/java/org/apache/tomcat/util/http/RequestUtil.java
@@ -46,7 +46,7 @@ public class RequestUtil {
/**
* Normalize a relative URI path. This method normalizes "/./", "/../" and
"//". This method optionally normalizes
* "\". If the input path is an attempt to 'escape the root' (e.g.
/../input.txt) then {@code null} is returned to
- * prevent attempts to 'escape the root'. <strong>WARNING</strong> - No
other URI validation checks are performed.
+ * prevent attempts to 'escape the root'. URI paths containing null bytes
will be rejected.
*
* @param path Relative path to be normalized
* @param replaceBackSlash Should '\\' be normalized to '/'
@@ -55,10 +55,16 @@ public class RequestUtil {
*/
public static String normalize(String path, boolean replaceBackSlash) {
+ // Keep behaviour aligned with CoyoteAdapter.normalize()
if (path == null) {
return null;
}
+ // Reject paths containing null bytes
+ if (path.indexOf(0) > -1) {
+ return null;
+ }
+
// Create a place for the normalized path
String normalized = path;
diff --git a/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
index b6428682bd..040ba10315 100644
--- a/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
+++ b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
@@ -59,6 +59,9 @@ public class TestRequestUtilNormalize {
parameterSets.add(new String[] { "/a/b/.", "/a/b" });
parameterSets.add(new String[] { "/a/b/../", "/a/" });
parameterSets.add(new String[] { "/a/b/./", "/a/b/" });
+ parameterSets.add(new String[] { "/a\u0000/b/./", null });
+ parameterSets.add(new String[] { "\u0000/a/b/./", null });
+ parameterSets.add(new String[] { "/a/b/./\u0000", null });
return parameterSets;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 94e1a612c0..88ba657458 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -139,6 +139,10 @@
Fix various minor issues with some HTTP/2 stream error messages for
HTTP/2. (markt)
</fix>
+ <fix>
+ Consistently reject URIs containing <code>NULL</code> bytes when
+ normalizing. (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
