This is an automated email from the ASF dual-hosted git repository.

rmaucher pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 5de34ca7e7 Minor fixes from code review
5de34ca7e7 is described below

commit 5de34ca7e743f3e1caccc6a635f9ce5bdc4bf318
Author: remm <[email protected]>
AuthorDate: Thu Jul 16 15:28:57 2026 +0200

    Minor fixes from code review
---
 java/org/apache/catalina/util/XMLWriter.java       |  3 +--
 .../catalina/valves/AbstractAccessLogValve.java    |  8 +++----
 .../valves/CrawlerSessionManagerValve.java         |  2 +-
 .../apache/catalina/valves/ErrorReportValve.java   | 14 ++++++++++--
 .../catalina/valves/ExtendedAccessLogValve.java    |  7 +++++-
 .../apache/catalina/valves/JsonAccessLogValve.java |  1 +
 .../apache/catalina/valves/LocalStrings.properties |  3 +++
 .../catalina/valves/ParameterLimitValve.java       |  2 +-
 .../apache/catalina/valves/PersistentValve.java    |  6 +++---
 java/org/apache/catalina/valves/RemoteIpValve.java | 25 ++++++++++++++++------
 .../apache/catalina/valves/RequestFilterValve.java | 10 ++++-----
 java/org/apache/catalina/valves/SSLValve.java      |  1 +
 .../org/apache/catalina/valves/SemaphoreValve.java |  8 +++++++
 .../catalina/valves/rewrite/RewriteRule.java       |  1 +
 14 files changed, 66 insertions(+), 25 deletions(-)

diff --git a/java/org/apache/catalina/util/XMLWriter.java 
b/java/org/apache/catalina/util/XMLWriter.java
index a2eb721e8f..c14c9c2ad4 100644
--- a/java/org/apache/catalina/util/XMLWriter.java
+++ b/java/org/apache/catalina/util/XMLWriter.java
@@ -22,8 +22,7 @@ import java.io.Writer;
 import org.apache.tomcat.util.security.Escape;
 
 /**
- * XMLWriter helper class. writeText is the only method in the class doing
- * XML escaping.
+ * XMLWriter helper class.
  */
 public class XMLWriter {
 
diff --git a/java/org/apache/catalina/valves/AbstractAccessLogValve.java 
b/java/org/apache/catalina/valves/AbstractAccessLogValve.java
index 716ba4dea5..bc82d1233e 100644
--- a/java/org/apache/catalina/valves/AbstractAccessLogValve.java
+++ b/java/org/apache/catalina/valves/AbstractAccessLogValve.java
@@ -2209,16 +2209,16 @@ public abstract class AbstractAccessLogValve extends 
ValveBase implements Access
      * - %to trailer response header - %V server name per UseCanonicalName 
setting
      *
      * The following escaped elements are not escaped in Tomcat because values 
that would require escaping are rejected
-     * before they reach the AccessLogValve: - %h remote host - %H request 
protocol - %m request method - %q query
-     * string - %r request line - %U request URI - %v canonical server name
+     * before they reach the AccessLogValve: - %h remote host - %H request 
protocol - %m request method
+     * - %v canonical server name
      *
      * The following escaped elements are supported by Tomcat: - %{}i request 
header - %{}o response header - %u remote
      * user
      *
      * The following additional Tomcat elements are escaped for consistency: - 
%{}c cookie value - %{}r request
-     * attribute - %{}s session attribute
+     * attribute - %{}s session attribute - %q query string - %r request line 
- %U request URI
      *
-     * giving a total of 6 elements that are escaped in Tomcat.
+     * giving a total of 9 elements that are escaped in Tomcat.
      *
      * Quoting from the httpd docs: "...non-printable and other special 
characters in %r, %i and %o are escaped using
      * \xhh sequences, where hh stands for the hexadecimal representation of 
the raw byte. Exceptions from this rule are
diff --git a/java/org/apache/catalina/valves/CrawlerSessionManagerValve.java 
b/java/org/apache/catalina/valves/CrawlerSessionManagerValve.java
index 58ff046a1b..856a6e9131 100644
--- a/java/org/apache/catalina/valves/CrawlerSessionManagerValve.java
+++ b/java/org/apache/catalina/valves/CrawlerSessionManagerValve.java
@@ -73,7 +73,7 @@ public class CrawlerSessionManagerValve extends ValveBase {
 
     /**
      * Specify the regular expression (using {@link Pattern}) that will be 
used to identify crawlers based in the
-     * User-Agent header provided. The default is 
".*GoogleBot.*|.*bingbot.*|.*Yahoo! Slurp.*"
+     * User-Agent header provided. The default is ".*[bB]ot.*|.*Yahoo! 
Slurp.*|.*Feedfetcher-Google.*"
      *
      * @param crawlerUserAgents The regular expression using {@link Pattern}
      */
diff --git a/java/org/apache/catalina/valves/ErrorReportValve.java 
b/java/org/apache/catalina/valves/ErrorReportValve.java
index a3369b6ad0..3a33b39647 100644
--- a/java/org/apache/catalina/valves/ErrorReportValve.java
+++ b/java/org/apache/catalina/valves/ErrorReportValve.java
@@ -441,7 +441,12 @@ public class ErrorReportValve extends ValveBase {
      */
     public boolean setProperty(String name, String value) {
         if (name.startsWith("errorCode.")) {
-            int code = Integer.parseInt(name.substring(10));
+            int code;
+            try {
+                code = Integer.parseInt(name.substring(10));
+            } catch (NumberFormatException e) {
+                return false;
+            }
             ErrorPage ep = new ErrorPage();
             ep.setErrorCode(code);
             ep.setLocation(value);
@@ -468,7 +473,12 @@ public class ErrorReportValve extends ValveBase {
     public String getProperty(String name) {
         String result;
         if (name.startsWith("errorCode.")) {
-            int code = Integer.parseInt(name.substring(10));
+            int code;
+            try {
+                code = Integer.parseInt(name.substring(10));
+            } catch (NumberFormatException e) {
+                return null;
+            }
             ErrorPage ep = errorPageSupport.find(code);
             if (ep == null) {
                 result = null;
diff --git a/java/org/apache/catalina/valves/ExtendedAccessLogValve.java 
b/java/org/apache/catalina/valves/ExtendedAccessLogValve.java
index 16d8f32fc2..aa8e4c665b 100644
--- a/java/org/apache/catalina/valves/ExtendedAccessLogValve.java
+++ b/java/org/apache/catalina/valves/ExtendedAccessLogValve.java
@@ -342,7 +342,7 @@ public class ExtendedAccessLogValve extends AccessLogValve {
 
         @Override
         public void addElement(CharArrayWriter buf, Date date, Request 
request, Response response, long time) {
-            wrap(request.getAttribute(attribute), buf);
+            wrap(request == null ? "??" : request.getAttribute(attribute), 
buf);
         }
     }
 
@@ -368,7 +368,12 @@ public class ExtendedAccessLogValve extends AccessLogValve 
{
                 session = request.getSession(false);
                 if (session != null) {
                     wrap(session.getAttribute(attribute), buf);
+                    return;
+                } else {
+                    buf.append('-');
                 }
+            } else {
+                buf.append("??");
             }
         }
     }
diff --git a/java/org/apache/catalina/valves/JsonAccessLogValve.java 
b/java/org/apache/catalina/valves/JsonAccessLogValve.java
index 278ccfbbe1..4a910aa0d7 100644
--- a/java/org/apache/catalina/valves/JsonAccessLogValve.java
+++ b/java/org/apache/catalina/valves/JsonAccessLogValve.java
@@ -283,6 +283,7 @@ public class JsonAccessLogValve extends AccessLogValve {
             if (quoteValue) {
                 buf.append('"');
             }
+            // The value will already be log escaped
             delegate.addElement(buf, date, request, response, time);
             if (quoteValue) {
                 buf.append('"');
diff --git a/java/org/apache/catalina/valves/LocalStrings.properties 
b/java/org/apache/catalina/valves/LocalStrings.properties
index 771bcc6f63..5b8053a6a4 100644
--- a/java/org/apache/catalina/valves/LocalStrings.properties
+++ b/java/org/apache/catalina/valves/LocalStrings.properties
@@ -167,6 +167,9 @@ remoteIpValve.invalidRemoteAddress=Unable to determine the 
remote host because t
 requestFilterValve.configInvalid=One or more invalid configuration settings 
were provided for the Remote[Addr|Host]Valve which prevented the Valve and its 
parent containers from starting
 requestFilterValve.deny=Denied request for [{0}] based on property [{1}]
 
+semaphoreValve.invalidConcurrency=Invalid concurrency value [{0}] specified
+semaphoreValve.invalidStatus=Invalid high concurrency status [{0}] specified
+
 sslValve.certError=Failed to process certificate string [{0}] to create a 
java.security.cert.X509Certificate object
 sslValve.invalidHeader=Invalid value [{0}] for header [{1}]
 sslValve.invalidProvider=The SSL provider specified on the connector 
associated with this request of [{0}] is invalid. The certificate data could 
not be processed.
diff --git a/java/org/apache/catalina/valves/ParameterLimitValve.java 
b/java/org/apache/catalina/valves/ParameterLimitValve.java
index 796715c86b..c63a2484ee 100644
--- a/java/org/apache/catalina/valves/ParameterLimitValve.java
+++ b/java/org/apache/catalina/valves/ParameterLimitValve.java
@@ -61,7 +61,7 @@ import org.apache.tomcat.util.file.ConfigurationSource;
  * <pre>
  * {@code
  * <Context>
- *     <Valve className="org.apache.catalina.valves.ParameterLimitValve"
+ *     <Valve className="org.apache.catalina.valves.ParameterLimitValve"/>
  * </Context>
  * }
  * and in <code>parameter_limit.config</code>:
diff --git a/java/org/apache/catalina/valves/PersistentValve.java 
b/java/org/apache/catalina/valves/PersistentValve.java
index 8539130919..cd699778bb 100644
--- a/java/org/apache/catalina/valves/PersistentValve.java
+++ b/java/org/apache/catalina/valves/PersistentValve.java
@@ -51,8 +51,8 @@ import org.apache.juli.logging.LogFactory;
  * <p>
  * To avoid conflicts and/or errors when updating the session store, each 
session must only be accessed by no more than
  * one concurrent request. The {@code filter} field can be used to define 
requests (e.g. those for static resources)
- * that do not need access to the session and can Requests for resources that 
do not need to access the session and can
- * bypass the session load/save functionality provided by this Valve.
+ * that do not need access to the session and can bypass the session load/save 
functionality
+ * provided by this Valve.
  * <p>
  * The Valve uses a per session {@code Semaphore} to ensure that each session 
is accessed by no more than one request at
  * a time within a single Tomcat instance. The behaviour if multiple requests 
try to access the session concurrently can
@@ -333,7 +333,7 @@ public class PersistentValve extends ValveBase {
         if (session != null) {
             int maxInactiveInterval = session.getMaxInactiveInterval();
             if (maxInactiveInterval > 0) {
-                int timeIdle = (int) (session.getIdleTimeInternal() / 1000L);
+                long timeIdle = session.getIdleTimeInternal() / 1000L;
                 return timeIdle >= maxInactiveInterval;
             }
         }
diff --git a/java/org/apache/catalina/valves/RemoteIpValve.java 
b/java/org/apache/catalina/valves/RemoteIpValve.java
index d06e2057ee..4f336d3a89 100644
--- a/java/org/apache/catalina/valves/RemoteIpValve.java
+++ b/java/org/apache/catalina/valves/RemoteIpValve.java
@@ -20,6 +20,7 @@ import java.io.IOException;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.ArrayDeque;
+import java.util.ArrayList;
 import java.util.Deque;
 import java.util.Enumeration;
 import java.util.Iterator;
@@ -657,9 +658,15 @@ public class RemoteIpValve extends ValveBase {
         final String originalLocalName = isChangeLocalName() ? 
request.getLocalName() : null;
         final int originalServerPort = request.getServerPort();
         final int originalLocalPort = request.getLocalPort();
-        final String originalProxiesHeader = request.getHeader(proxiesHeader);
-        final String originalRemoteIpHeader = 
request.getHeader(remoteIpHeader);
         boolean isInternal = internalProxies != null && 
internalProxies.matcher(originalRemoteAddr).matches();
+        final List<String> originalProxiesHeaderValues = new ArrayList<>();
+        for (Enumeration<String> e = request.getHeaders(proxiesHeader); 
e.hasMoreElements();) {
+            originalProxiesHeaderValues.add(e.nextElement());
+        }
+        final List<String> originalRemoteIpHeaderValues = new ArrayList<>();
+        for (Enumeration<String> e = request.getHeaders(remoteIpHeader); 
e.hasMoreElements();) {
+            originalRemoteIpHeaderValues.add(e.nextElement());
+        }
 
         if (isInternal || (trustedProxies != null && 
trustedProxies.matcher(originalRemoteAddr).matches())) {
             String remoteIp = null;
@@ -815,16 +822,22 @@ public class RemoteIpValve extends ValveBase {
                 request.setLocalPort(originalLocalPort);
 
                 MimeHeaders headers = 
request.getCoyoteRequest().getMimeHeaders();
-                if (originalProxiesHeader == null || 
originalProxiesHeader.isEmpty()) {
+                if (originalProxiesHeaderValues.isEmpty()) {
                     headers.removeHeader(proxiesHeader);
                 } else {
-                    
headers.setValue(proxiesHeader).setString(originalProxiesHeader);
+                    headers.removeHeader(proxiesHeader);
+                    for (String v : originalProxiesHeaderValues) {
+                        headers.addValue(proxiesHeader).setString(v);
+                    }
                 }
 
-                if (originalRemoteIpHeader == null || 
originalRemoteIpHeader.isEmpty()) {
+                if (originalRemoteIpHeaderValues.isEmpty()) {
                     headers.removeHeader(remoteIpHeader);
                 } else {
-                    
headers.setValue(remoteIpHeader).setString(originalRemoteIpHeader);
+                    headers.removeHeader(remoteIpHeader);
+                    for (String v : originalRemoteIpHeaderValues) {
+                        headers.addValue(remoteIpHeader).setString(v);
+                    }
                 }
             }
         }
diff --git a/java/org/apache/catalina/valves/RequestFilterValve.java 
b/java/org/apache/catalina/valves/RequestFilterValve.java
index f1ef980e73..545731eb74 100644
--- a/java/org/apache/catalina/valves/RequestFilterValve.java
+++ b/java/org/apache/catalina/valves/RequestFilterValve.java
@@ -43,8 +43,8 @@ import org.apache.juli.logging.Log;
  * this request will be rejected with a "Forbidden" HTTP response.</li>
  * <li>If there is an allow expression configured, the property will be 
compared to each such expression. If a match is
  * found, this request will be allowed to pass through to the next Valve in 
the current pipeline.</li>
- * <li>If a deny expression was specified but no allow expression, allow this 
request to pass through (because none of
- * the deny expressions matched it).
+ * <li>If a deny expression was specified but no allow expression was 
specified, allow this request to pass through
+ * (because none of the deny expressions matched it).</li>
  * <li>The request will be rejected with a "Forbidden" HTTP response.</li>
  * </ul>
  * <p>
@@ -123,7 +123,7 @@ public abstract class RequestFilterValve extends ValveBase {
     private volatile boolean addConnectorPort = false;
 
     /**
-     * Flag deciding whether we use the connection peer address or the remote 
address. This makes a dfifference when
+     * Flag deciding whether we use the connection peer address or the remote 
address. This makes a difference when
      * using AJP or the RemoteIpValve.
      */
     private volatile boolean usePeerAddress = false;
@@ -284,7 +284,7 @@ public abstract class RequestFilterValve extends ValveBase {
 
 
     /**
-     * Get the flag deciding whether we use the connection peer address or the 
remote address. This makes a dfifference
+     * Get the flag deciding whether we use the connection peer address or the 
remote address. This makes a difference
      * when using AJP or the RemoteIpValve.
      *
      * @return <code>true</code> if we use the connection peer address
@@ -295,7 +295,7 @@ public abstract class RequestFilterValve extends ValveBase {
 
 
     /**
-     * Set the flag deciding whether we use the connection peer address or the 
remote address. This makes a dfifference
+     * Set the flag deciding whether we use the connection peer address or the 
remote address. This makes a difference
      * when using AJP or the RemoteIpValve.
      *
      * @param usePeerAddress The new flag
diff --git a/java/org/apache/catalina/valves/SSLValve.java 
b/java/org/apache/catalina/valves/SSLValve.java
index ca3b14d546..3470642b40 100644
--- a/java/org/apache/catalina/valves/SSLValve.java
+++ b/java/org/apache/catalina/valves/SSLValve.java
@@ -235,6 +235,7 @@ public class SSLValve extends ValveBase {
                 } catch (NoSuchProviderException e) {
                     log.error(sm.getString("sslValve.invalidProvider", 
providerName), e);
                 }
+                // If parsing fails, remove certificates
                 request.setAttribute(Globals.CERTIFICATES_ATTR, jsseCerts);
             }
         }
diff --git a/java/org/apache/catalina/valves/SemaphoreValve.java 
b/java/org/apache/catalina/valves/SemaphoreValve.java
index 12ab42a32d..096a473069 100644
--- a/java/org/apache/catalina/valves/SemaphoreValve.java
+++ b/java/org/apache/catalina/valves/SemaphoreValve.java
@@ -79,6 +79,10 @@ public class SemaphoreValve extends ValveBase {
      * @param concurrency the concurrency level
      */
     public void setConcurrency(int concurrency) {
+        if (concurrency < 0) {
+            throw new IllegalArgumentException(
+                    sm.getString("semaphoreValve.invalidConcurrency", 
Integer.valueOf(concurrency)));
+        }
         this.concurrency = concurrency;
     }
 
@@ -175,6 +179,10 @@ public class SemaphoreValve extends ValveBase {
      * @param highConcurrencyStatus the status code to return
      */
     public void setHighConcurrencyStatus(int highConcurrencyStatus) {
+        if (highConcurrencyStatus != -1 && (highConcurrencyStatus < 100 || 
highConcurrencyStatus >= 600)) {
+            throw new IllegalArgumentException(
+                    sm.getString("semaphoreValve.invalidStatus", 
Integer.valueOf(highConcurrencyStatus)));
+        }
         this.highConcurrencyStatus = highConcurrencyStatus;
     }
 
diff --git a/java/org/apache/catalina/valves/rewrite/RewriteRule.java 
b/java/org/apache/catalina/valves/rewrite/RewriteRule.java
index 49c0353636..91777daa59 100644
--- a/java/org/apache/catalina/valves/rewrite/RewriteRule.java
+++ b/java/org/apache/catalina/valves/rewrite/RewriteRule.java
@@ -89,6 +89,7 @@ public class RewriteRule {
         if (isNocase()) {
             flags |= Pattern.CASE_INSENSITIVE;
         }
+        // Check that the pattern compiles
         Pattern.compile(patternString, flags);
         // Parse conditions
         for (RewriteCond condition : conditions) {


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to