svn commit: r993414 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/catalina/connector/Request.java webapps/docs/changelog.xml webapps/docs/config/systemprops.xml

Tue, 07 Sep 2010 09:11:30 -0700 

Author: markt
Date: Tue Sep  7 16:10:49 2010
New Revision: 993414

URL: http://svn.apache.org/viewvc?rev=993414&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38113
Add system property to allow spec compliant handling of query string

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=993414&r1=993413&r2=993414&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Sep  7 16:10:49 2010
@@ -160,12 +160,6 @@ PATCHES PROPOSED TO BACKPORT:
   -1:
   rjung: s/vesion/version/g
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38113
-  Add system property to allow spec compliant handling of query string
-  http://people.apache.org/~markt/patches/2010-08-25-bug38113.patch
-  +1: markt, kkolinko, rjung
-  -1:
-
 * Provide better web application state information via JMX
   A limited back-port of http://svn.apache.org/viewvc?rev=992245&view=rev that
   could be extended to other components that use LifecycleSupport and expose

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=993414&r1=993413&r2=993414&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Tue 
Sep  7 16:10:49 2010
@@ -83,16 +83,20 @@ import org.apache.catalina.util.StringPa
 public class Request
     implements HttpServletRequest {
 
-
-    // ----------------------------------------------------------- Constructors
-
+    private final static boolean ALLOW_EMPTY_QUERY_STRING;
 
     static {
         // Ensure that classes are loaded for SM
         new StringCache.ByteEntry();
         new StringCache.CharEntry();
+        
+        ALLOW_EMPTY_QUERY_STRING = Boolean.parseBoolean(System.getProperty(
+                
"org.apache.catalina.connector.Request.ALLOW_EMPTY_QUERY_STRING",
+                Boolean.toString(Globals.STRICT_SERVLET_COMPLIANCE)));
     }
 
+    
+    // ----------------------------------------------------------- Constructors
     public Request() {
 
         formats[0].setTimeZone(GMT_ZONE);
@@ -1975,11 +1979,11 @@ public class Request
      */
     public String getQueryString() {
         String queryString = coyoteRequest.queryString().toString();
-        if (queryString == null || queryString.equals("")) {
-            return (null);
-        } else {
-            return queryString;
+        if (!ALLOW_EMPTY_QUERY_STRING && "".equals(queryString)) {
+            return null;
         }
+        
+        return queryString;
     }
 
 

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=993414&r1=993413&r2=993414&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Sep  7 16:10:49 2010
@@ -50,6 +50,11 @@
   <subsection name="Catalina">
     <changelog>
       <fix>
+        <bug>38113</bug>: Provide a system property that enables a strict
+        interpretation of the specification for <code>getQueryString()</code>
+        when an empty query string is provided by the user agent. (markt)
+      </fix>
+      <fix>
         Return a copy of the current URLs for the 
<code>WebappClassLoader</code>
         to prevent modification. This facilitated, although it wasn't the root
         cause, CVE-2010-1622. (markt)

Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml?rev=993414&r1=993413&r2=993414&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/systemprops.xml Tue Sep  7 
16:10:49 2010
@@ -250,7 +250,16 @@
     </property>
 
     <property
-    name="org.apache.catalina.session. StandardSession.ACTIVITY_CHECK">
+        name="org.apache.catalina. connector.Request.ALLOW_EMPTY_QUERY_STRING">
+      <p>If this is <code>true</code> Tomcat will return an empty string rather
+      than <code>null</code> for empty query strings - i.e. query strings where
+      only <code>?</code> is present. If not specified, the value of
+      <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> will be used 
as
+      the default.</p> 
+    </property>
+
+    <property
+        name="org.apache.catalina.session. StandardSession.ACTIVITY_CHECK">
       <p>If this is <code>true</code> or if
       <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> is
       <code>true</code> Tomcat will track the number of active requests for 
each



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to