RE: to trim or not to trim (was Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util FileUtil.java)

Wed, 21 Mar 2001 12:38:47 -0800 

> -----Original Message-----
> From: Arieh Markel [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, March 21, 2001 11:16 AM
> To: [EMAIL PROTECTED]
> Subject: to trim or not to trim (was Re: cvs commit:
> jakarta-tomcat/src/share/org/apache/tomcat/util FileUtil.java)
> 
> 
> 
> > Mailing-List: contact [EMAIL PROTECTED]; 
> run by ezmlm
> > list-help: <mailto:[EMAIL PROTECTED]>
> > list-unsubscribe: <mailto:[EMAIL PROTECTED]>
> > list-post: <mailto:[EMAIL PROTECTED]>
> > Delivered-To: mailing list [EMAIL PROTECTED]
> > From: Yoshiyuki Karezaki <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Re: cvs commit: 
> jakarta-tomcat/src/share/org/apache/tomcat/util 
> FileUtil.java
> > User-Agent: Wanderlust/2.4.1 (Stand By Me) Emacs/20.4 Mule/4.1 (AOI)
> > X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N
> > 
> > Hi arieh,
> > 
> > In article <cvs commit: 
> jakarta-tomcat/src/share/org/apache/tomcat/util 
> FileUtil.java>,
> >     [EMAIL PROTECTED] wrote:
> > |        public static String patch(String path) {
> > |   -       String patchPath = path;
> > |   +       String patchPath = path.trim();
> > 
> > The fix of 1.9.2.6 becomes ineffective.
> > trim() should be removed ?
> 
> Yoshiyuki,
> 
> Thanks for your comments.
> 
> Before I go ahead with reverting the code to what it was before.
> 
> Can you explain why the addition of trim makes the fix ineffective ?
> 
> The trim() protects from generating invalid paths that may result
> from appended spaces.
> 
> Are you suggesting that we don't try to fix the possible existence of
> appended spaces (or CR LF) ?

The trim() was removed to fix a security vulnerability that can
occur if the URL ends with ".jsp%20".  This results in the JSP
being served statically.  See Bugzilla Bug #748.

Where would valid spaces or CRLF come from?  Perhaps we can look
for a better place to trim them.  Doing this in patch() means
that some portions of Tomcat will see a request that is
technically different from what other portions see.

Cheers,
Larry

> 
> Have you seen any problem with the current version ?
> 
> Other opinions ?
> 
> Thanks,
> 
> Arieh
> 
> > 
> > Yoshiyuki Karezaki   [EMAIL PROTECTED]
> 
> --
>  Arieh Markel                         Sun Microsystems Inc.
>  Network Storage                        500 Eldorado Blvd. MS 
> UBRM11-194
>  e-mail: [EMAIL PROTECTED]           Broomfield, CO 80021
>  Pray for snow !!!!                     Phone: (303) 272-8547 x78547
>  (e-mail me with subject SEND PUBLIC KEY to get public key)
>

Reply via email to