--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java 2009-06-09 17:08:55.000000000 +0200
+++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java 2009-06-09 17:20:24.000000000 +0200
@@ -43,6 +43,7 @@
import org.apache.catalina.Wrapper;
import org.apache.catalina.deploy.ApplicationParameter;
import org.apache.catalina.util.Enumerator;
+import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.ResourceSet;
import org.apache.catalina.util.ServerInfo;
import org.apache.catalina.util.StringManager;
@@ -387,7 +388,7 @@
path = path.substring(0, pos);
}
- path = normalize(path);
+ path = RequestUtil.normalize(path);
if (path == null)
return (null);
@@ -471,7 +472,7 @@
throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path));
}
- path = normalize(path);
+ path = RequestUtil.normalize(path);
if (path == null)
return (null);
@@ -520,10 +521,13 @@
*/
public InputStream getResourceAsStream(String path) {
- path = normalize(path);
if (path == null)
return (null);
+ path = RequestUtil.normalize(path);
+ if (path == null)
+ return null;
+
DirContext resources = context.getResources();
if (resources != null) {
try {
@@ -547,7 +551,14 @@
*/
public Set getResourcePaths(String path) {
- path = normalize(path);
+ if (path == null)
+ return (null);
+
+ if (!path.startsWith("/")) {
+ throw new IllegalArgumentException
+ (sm.getString("applicationContext.requestDispatcher.iae", path));
+ }
+ path = RequestUtil.normalize(path);
if (path == null)
return (null);
@@ -863,41 +874,6 @@
/**
- * Return a context-relative path, beginning with a "/", that represents
- * the canonical version of the specified path after ".." and "." elements
- * are resolved out. If the specified path attempts to go outside the
- * boundaries of the current context (i.e. too many ".." path elements
- * are present), return null instead.
- *
- * @param path Path to be normalized
- */
- private String normalize(String path) {
-
- String normalized = path;
-
- // Normalize the slashes and add leading slash if necessary
- if (normalized.indexOf('\\') >= 0)
- normalized = normalized.replace('\\', '/');
-
- // Resolve occurrences of "/../" in the normalized path
- while (true) {
- int index = normalized.indexOf("/../");
- if (index < 0)
- break;
- if (index == 0)
- return (null); // Trying to go outside our context
- int index2 = normalized.lastIndexOf('/', index - 1);
- normalized = normalized.substring(0, index2) +
- normalized.substring(index + 3);
- }
-
- // Return the normalized path that we have completed
- return (normalized);
-
- }
-
-
- /**
* Merge the context initialization parameters specified in the application
* deployment descriptor with the application parameters described in the
* server configuration, respecting the override property of
--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java 2004-11-24 17:55:08.000000000 +0100
+++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java 2009-06-09 17:20:24.000000000 +0200
@@ -316,10 +316,9 @@
int pos = requestPath.lastIndexOf('/');
String relative = null;
if (pos >= 0) {
- relative = RequestUtil.normalize
- (requestPath.substring(0, pos + 1) + path);
+ relative = requestPath.substring(0, pos + 1) + path;
} else {
- relative = RequestUtil.normalize(requestPath + path);
+ relative = requestPath + path;
}
return (context.getServletContext().getRequestDispatcher(relative));
--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java 2009-06-09 17:08:55.000000000 +0200
+++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java 2009-06-09 17:53:38.000000000 +0200
@@ -1502,7 +1502,7 @@
}
// Normalise destination path (remove '.' and '..')
- destinationPath = normalize(destinationPath);
+ destinationPath = RequestUtil.normalize(destinationPath);
String contextPath = req.getContextPath();
if ((contextPath != null) &&
@@ -2263,7 +2263,7 @@
if (!toAppend.startsWith("/"))
toAppend = "/" + toAppend;
- generatedXML.writeText(rewriteUrl(normalize(absoluteUri + toAppend)));
+ generatedXML.writeText(rewriteUrl(RequestUtil.normalize(absoluteUri + toAppend)));
generatedXML.writeElement(null, "href", XMLWriter.CLOSING);
--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java 2004-11-24 17:55:14.000000000 +0100
+++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java 2009-06-09 17:20:48.000000000 +0200
@@ -24,6 +24,8 @@
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.catalina.util.RequestUtil;
+
/**
* An implementation of SSIExternalResolver that is used with servlets.
*
@@ -230,7 +232,7 @@
+ pathWithoutContext);
}
String fullPath = prefix + path;
- String retVal = SSIServletRequestUtil.normalize(fullPath);
+ String retVal = RequestUtil.normalize(fullPath);
if (retVal == null) {
throw new IOException("Normalization yielded null on path: "
+ fullPath);
@@ -264,7 +266,7 @@
if (!virtualPath.startsWith("/") && !virtualPath.startsWith("\\")) {
path = getAbsolutePath(virtualPath);
} else {
- String normalized = SSIServletRequestUtil.normalize(virtualPath);
+ String normalized = RequestUtil.normalize(virtualPath);
if (isVirtualWebappRelative) {
path = normalized;
} else {
--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java 2004-11-24 17:55:14.000000000 +0100
+++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java 2009-06-09 17:20:48.000000000 +0200
@@ -41,7 +41,7 @@
if ((result == null) || (result.equals(""))) {
result = "/";
}
- return normalize(result);
+ return RequestUtil.normalize(result);
}
@@ -57,15 +57,9 @@
*
* @param path
* Path to be normalized
+ * @deprecated
*/
public static String normalize(String path) {
- if (path == null) return null;
- String normalized = path;
- //Why doesn't RequestUtil do this??
- // Normalize the slashes and add leading slash if necessary
- if (normalized.indexOf('\\') >= 0)
- normalized = normalized.replace('\\', '/');
- normalized = RequestUtil.normalize(path);
- return normalized;
+ return RequestUtil.normalize(path);
}
}
--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/util/RequestUtil.java 2004-11-24 17:55:17.000000000 +0100
+++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/util/RequestUtil.java 2009-06-09 17:20:48.000000000 +0200
@@ -147,6 +147,19 @@
* @param path Relative path to be normalized
*/
public static String normalize(String path) {
+ return normalize(path, true);
+ }
+
+ /**
+ * Normalize a relative URI path that may have relative values ("/./",
+ * "/../", and so on ) it it. WARNING - This method is
+ * useful only for normalizing application-generated paths. It does not
+ * try to perform security checks for malicious input.
+ *
+ * @param path Relative path to be normalized
+ * @param replaceBackSlash Should '\\' be replaced with '/'
+ */
+ public static String normalize(String path, boolean replaceBackSlash) {
if (path == null)
return null;
@@ -154,6 +167,9 @@
// Create a place for the normalized path
String normalized = path;
+ if (replaceBackSlash && normalized.indexOf('\\') >= 0)
+ normalized = normalized.replace('\\', '/');
+
if (normalized.equals("/."))
return "/";
--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java 2009-06-09 17:08:55.000000000 +0200
+++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java 2009-06-09 17:54:07.000000000 +0200
@@ -1337,10 +1337,9 @@
int pos = requestPath.lastIndexOf('/');
String relative = null;
if (pos >= 0) {
- relative = RequestUtil.normalize
- (requestPath.substring(0, pos + 1) + path);
+ relative = requestPath.substring(0, pos + 1) + path;
} else {
- relative = RequestUtil.normalize(requestPath + path);
+ relative = requestPath + path;
}
return (context.getServletContext().getRequestDispatcher(relative));