Author: markt Date: Wed Jul 30 07:26:41 2008 New Revision: 681065 URL: http://svn.apache.org/viewvc?rev=681065&view=rev Log: Port r678137 from 6.0.x Additional normalization check
Modified: tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Modified: tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java?rev=681065&r1=681064&r2=681065&view=diff ============================================================================== --- tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java (original) +++ tomcat/connectors/trunk/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java Wed Jul 30 07:26:41 2008 @@ -264,6 +264,13 @@ } } + // Check that the URI is still normalized + if (!checkNormalize(req.decodedURI())) { + res.setStatus(400); + res.setMessage("Invalid URI character encoding"); + throw new IOException("Invalid URI character encoding"); + } + // Parse cookies parseCookies(req, request); @@ -675,6 +682,67 @@ } + /** + * Check that the URI is normalized following character decoding. + * <p> + * This method checks for "\", 0, "//", "/./" and "/../". This method will + * return false if sequences that are supposed to be normalized are still + * present in the URI. + * + * @param uriMB URI to be checked (should be chars) + */ + public static boolean checkNormalize(MessageBytes uriMB) { + + CharChunk uriCC = uriMB.getCharChunk(); + char[] c = uriCC.getChars(); + int start = uriCC.getStart(); + int end = uriCC.getEnd(); + + int pos = 0; + + // Check for '\' and 0 + for (pos = start; pos < end; pos++) { + if (c[pos] == '\\') { + return false; + } + if (c[pos] == 0) { + return false; + } + } + + // Check for "//" + for (pos = start; pos < (end - 1); pos++) { + if (c[pos] == '/') { + if (c[pos + 1] == '/') { + return false; + } + } + } + + // Check for ending with "/." or "/.." + if (((end - start) >= 2) && (c[end - 1] == '.')) { + if ((c[end - 2] == '/') + || ((c[end - 2] == '.') + && (c[end - 3] == '/'))) { + return false; + } + } + + // Check for "/./" + if (uriCC.indexOf("/./", 0, 3, 0) >= 0) { + return false; + } + + // Check for "/../" + if (uriCC.indexOf("/../", 0, 4, 0) >= 0) { + return false; + } + + return true; + + } + + // ------------------------------------------------------ Protected Methods Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=681065&r1=681064&r2=681065&view=diff ============================================================================== --- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original) +++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Wed Jul 30 07:26:41 2008 @@ -1993,6 +1993,9 @@ Fix security issues CVE-2007-3385 and CVE-2007-5333 in cookie handling that allowed session hi-jacking to occur. +[4.1.38] CoyoteConnector + Add additional checks for URI normalization. + ---------------- Jasper Bug Fixes: --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]