cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

Fri, 30 Mar 2001 13:20:56 -0800 

craigmcc    01/03/30 13:38:48

  Modified:    catalina/src/share/org/apache/catalina/authenticator
                        AuthenticatorBase.java
  Log:
  Fix a further vulnerability related to the "may expose JSP source code"
  vulnerability.  Creative use of URL-encoded characters would also cause
  security constraints to be bypassed -- this is now corrected.
  
  Revision  Changes    Path
  1.10      +6 -4      
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- AuthenticatorBase.java    2001/03/14 02:26:51     1.9
  +++ AuthenticatorBase.java    2001/03/30 21:38:47     1.10
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
 1.9 2001/03/14 02:26:51 craigmcc Exp $
  - * $Revision: 1.9 $
  - * $Date: 2001/03/14 02:26:51 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
 1.10 2001/03/30 21:38:47 craigmcc Exp $
  + * $Revision: 1.10 $
  + * $Date: 2001/03/30 21:38:47 $
    *
    * ====================================================================
    *
  @@ -96,6 +96,7 @@
   import org.apache.catalina.deploy.LoginConfig;
   import org.apache.catalina.deploy.SecurityConstraint;
   import org.apache.catalina.util.LifecycleSupport;
  +import org.apache.catalina.util.RequestUtil;
   import org.apache.catalina.util.StringManager;
   import org.apache.catalina.valves.ValveBase;
   
  @@ -117,7 +118,7 @@
    * requests.  Requests of any other type will simply be passed through.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.9 $ $Date: 2001/03/14 02:26:51 $
  + * @version $Revision: 1.10 $ $Date: 2001/03/30 21:38:47 $
    */
   
   
  @@ -671,6 +672,7 @@
        String contextPath = hreq.getContextPath();
        if (contextPath.length() > 0)
            uri = uri.substring(contextPath.length());
  +        uri = RequestUtil.URLDecode(uri); // Before checking constraints
        String method = hreq.getMethod();
        for (int i = 0; i < constraints.length; i++) {
            if (debug >= 2)

Reply via email to