yoavs 2005/07/21 13:14:57 Modified: catalina/src/share/org/apache/catalina/deploy SecurityCollection.java webapps/docs changelog.xml Log: Bugzilla 34805: http://issues.apache.org/bugzilla/show_bug.cgi?id=34805 Revision Changes Path 1.5 +21 -2 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java Index: SecurityCollection.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/deploy/SecurityCollection.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- SecurityCollection.java 13 May 2004 20:40:49 -0000 1.4 +++ SecurityCollection.java 21 Jul 2005 20:14:57 -0000 1.5 @@ -19,6 +19,10 @@ import org.apache.catalina.util.RequestUtil; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + import java.io.Serializable; @@ -39,6 +43,8 @@ public class SecurityCollection implements Serializable { + private static Log log = LogFactory.getLog(SecurityCollection.class); + // ----------------------------------------------------------- Constructors @@ -180,10 +186,23 @@ if (pattern == null) return; + + // Bugzilla 34805: add friendly warning. + if(pattern.endsWith("*")) { + if (pattern.charAt(pattern.length()-1) != '/') { + if (log.isDebugEnabled()) { + log.warn("Suspicious url pattern: \"" + pattern + "\"" + + " - see http://java.sun.com/aboutJava/communityprocess/first/jsr053/servlet23_PFD.pdf" + + " section 11.2" ); + } + } + } + pattern = RequestUtil.URLDecode(pattern); String results[] = new String[patterns.length + 1]; - for (int i = 0; i < patterns.length; i++) + for (int i = 0; i < patterns.length; i++) { results[i] = patterns[i]; + } results[patterns.length] = pattern; patterns = results; 1.326 +3 -0 jakarta-tomcat-catalina/webapps/docs/changelog.xml Index: changelog.xml =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/changelog.xml,v retrieving revision 1.325 retrieving revision 1.326 diff -u -r1.325 -r1.326 --- changelog.xml 21 Jul 2005 19:57:17 -0000 1.325 +++ changelog.xml 21 Jul 2005 20:14:57 -0000 1.326 @@ -179,6 +179,9 @@ <bug>35769</bug>: Correct implementation of javax.naming.Context.composeName( Name, Name) in multiple places. Patch provided by Laurent Simon. (markt) </fix> + <add> + <bug>34805</bug>: Add warning for suspicious security patterns, as suggested by Ralf Hauser. (yoavs) + </add> </changelog> </subsection>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]