This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 3ac1c7b0a8 Align URI normalization between RequestUtil and
CoyoteAdapter
3ac1c7b0a8 is described below
commit 3ac1c7b0a8c7d2fec42bc050843b7f68fc2c9098
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Apr 7 12:26:50 2026 +0100
Align URI normalization between RequestUtil and CoyoteAdapter
---
java/org/apache/catalina/connector/CoyoteAdapter.java | 2 ++
java/org/apache/tomcat/util/http/RequestUtil.java | 8 +++++++-
test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java | 3 +++
webapps/docs/changelog.xml | 4 ++++
4 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java
b/java/org/apache/catalina/connector/CoyoteAdapter.java
index 613a1675f7..d7611158cb 100644
--- a/java/org/apache/catalina/connector/CoyoteAdapter.java
+++ b/java/org/apache/catalina/connector/CoyoteAdapter.java
@@ -1111,6 +1111,8 @@ public class CoyoteAdapter implements Adapter {
*/
public static boolean normalize(MessageBytes uriMB) {
+ // Keep behaviour aligned with RequestUtil.normalize()
+
ByteChunk uriBC = uriMB.getByteChunk();
final byte[] b = uriBC.getBytes();
final int start = uriBC.getStart();
diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java
b/java/org/apache/tomcat/util/http/RequestUtil.java
index ff6f911f5a..51194c3db8 100644
--- a/java/org/apache/tomcat/util/http/RequestUtil.java
+++ b/java/org/apache/tomcat/util/http/RequestUtil.java
@@ -46,7 +46,7 @@ public class RequestUtil {
/**
* Normalize a relative URI path. This method normalizes "/./", "/../" and
"//". This method optionally normalizes
* "\". If the input path is an attempt to 'escape the root' (e.g.
/../input.txt) then {@code null} is returned to
- * prevent attempts to 'escape the root'. <strong>WARNING</strong> - No
other URI validation checks are performed.
+ * prevent attempts to 'escape the root'. URI paths containing null bytes
will be rejected.
*
* @param path Relative path to be normalized
* @param replaceBackSlash Should '\\' be normalized to '/'
@@ -55,10 +55,16 @@ public class RequestUtil {
*/
public static String normalize(String path, boolean replaceBackSlash) {
+ // Keep behaviour aligned with CoyoteAdapter.normalize()
if (path == null) {
return null;
}
+ // Reject paths containing null bytes
+ if (path.indexOf(0) > -1) {
+ return null;
+ }
+
// Create a place for the normalized path
String normalized = path;
diff --git a/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
index b6428682bd..040ba10315 100644
--- a/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
+++ b/test/org/apache/tomcat/util/http/TestRequestUtilNormalize.java
@@ -59,6 +59,9 @@ public class TestRequestUtilNormalize {
parameterSets.add(new String[] { "/a/b/.", "/a/b" });
parameterSets.add(new String[] { "/a/b/../", "/a/" });
parameterSets.add(new String[] { "/a/b/./", "/a/b/" });
+ parameterSets.add(new String[] { "/a\u0000/b/./", null });
+ parameterSets.add(new String[] { "\u0000/a/b/./", null });
+ parameterSets.add(new String[] { "/a/b/./\u0000", null });
return parameterSets;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1f5e40dc4c..ca7822a7c7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -139,6 +139,10 @@
Fix various minor issues with some HTTP/2 stream error messages for
HTTP/2. (markt)
</fix>
+ <fix>
+ Consistently reject URIs containing <code>NULL</code> bytes when
+ normalizing. (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
