cvs commit: jakarta-tomcat-catalina/webapps/docs changelog.xml

Thu, 21 Jul 2005 13:15:19 -0700 

yoavs       2005/07/21 13:14:57

  Modified:    catalina/src/share/org/apache/catalina/deploy
                        SecurityCollection.java
               webapps/docs changelog.xml
  Log:
  Bugzilla 34805: http://issues.apache.org/bugzilla/show_bug.cgi?id=34805
  
  Revision  Changes    Path
  1.5       +21 -2     
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java
  
  Index: SecurityCollection.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- SecurityCollection.java   13 May 2004 20:40:49 -0000      1.4
  +++ SecurityCollection.java   21 Jul 2005 20:14:57 -0000      1.5
  @@ -19,6 +19,10 @@
   
   
   import org.apache.catalina.util.RequestUtil;
  +
  +import org.apache.commons.logging.Log;
  +import org.apache.commons.logging.LogFactory;
  +
   import java.io.Serializable;
   
   
  @@ -39,6 +43,8 @@
   
   public class SecurityCollection implements Serializable {
   
  +    private static Log log = LogFactory.getLog(SecurityCollection.class);
  +
   
       // ----------------------------------------------------------- 
Constructors
   
  @@ -180,10 +186,23 @@
   
           if (pattern == null)
               return;
  +
  +        // Bugzilla 34805: add friendly warning.
  +        if(pattern.endsWith("*")) {
  +          if (pattern.charAt(pattern.length()-1) != '/') {
  +            if (log.isDebugEnabled()) {
  +              log.warn("Suspicious url pattern: \"" + pattern + "\"" +
  +                       " - see 
http://java.sun.com/aboutJava/communityprocess/first/jsr053/servlet23_PFD.pdf"; +
  +                       "  section 11.2" );
  +            }
  +          }
  +        }
  +
           pattern = RequestUtil.URLDecode(pattern);
           String results[] = new String[patterns.length + 1];
  -        for (int i = 0; i < patterns.length; i++)
  +        for (int i = 0; i < patterns.length; i++) {
               results[i] = patterns[i];
  +        }
           results[patterns.length] = pattern;
           patterns = results;
   
  
  
  
  1.326     +3 -0      jakarta-tomcat-catalina/webapps/docs/changelog.xml
  
  Index: changelog.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/changelog.xml,v
  retrieving revision 1.325
  retrieving revision 1.326
  diff -u -r1.325 -r1.326
  --- changelog.xml     21 Jul 2005 19:57:17 -0000      1.325
  +++ changelog.xml     21 Jul 2005 20:14:57 -0000      1.326
  @@ -179,6 +179,9 @@
           <bug>35769</bug>: Correct implementation of 
javax.naming.Context.composeName( Name, Name)
           in multiple places. Patch provided by Laurent Simon. (markt)
         </fix>
  +      <add>
  +        <bug>34805</bug>: Add warning for suspicious security patterns, as 
suggested by Ralf Hauser. (yoavs)
  +      </add>
       </changelog>
     </subsection>
     
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to