Make filtering of /r and /n in headers consistent for all connectors.

Make handling of 404s consistent across components.
Provide option to include custom status message in headers. SRV.5.3 suggests custom messages are intended for the body of the response, not the status line.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@673796 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/core/StandardContextValve.java b/java/org/apache/catalina/core/StandardContextValve.java
index 57d86b0..dd44836 100644 (file)
--- a/java/org/apache/catalina/core/StandardContextValve.java
+++ b/java/org/apache/catalina/core/StandardContextValve.java
@@ -120,8 +120,7 @@ final class StandardContextValve
             || (requestPathMB.equalsIgnoreCase("/META-INF"))
             || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
             || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
-            String requestURI = request.getDecodedRequestURI();
-            notFound(requestURI, response);
+            notFound(response);
             return;
         }
 
@@ -148,15 +147,13 @@ final class StandardContextValve
         // Select the Wrapper to be used for this Request
         Wrapper wrapper = request.getWrapper();
         if (wrapper == null) {
-            String requestURI = request.getDecodedRequestURI();
-            notFound(requestURI, response);
+            notFound(response);
             return;
         } else if (wrapper.isUnavailable()) {
             // May be as a result of a reload, try and find the new wrapper
             wrapper = (Wrapper) container.findChild(wrapper.getName());
             if (wrapper == null) {
-                String requestURI = request.getDecodedRequestURI();
-                notFound(requestURI, response);
+                notFound(response);
                 return;
             }
         }
@@ -305,13 +302,12 @@ final class StandardContextValve
      * application, but currently that code runs at the wrapper level rather
      * than the context level.
      *
-     * @param requestURI The request URI for the requested resource
      * @param response The response we are creating
      */
-    private void notFound(String requestURI, HttpServletResponse response) {
+    private void notFound(HttpServletResponse response) {
 
         try {
-            response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI);
+            response.sendError(HttpServletResponse.SC_NOT_FOUND);
         } catch (IllegalStateException e) {
             ;
         } catch (IOException e) {

diff --git a/java/org/apache/coyote/Constants.java b/java/org/apache/coyote/Constants.java
index 94647f1..1ce03fd 100644 (file)
--- a/java/org/apache/coyote/Constants.java
+++ b/java/org/apache/coyote/Constants.java
@@ -60,5 +60,12 @@ public final class Constants {
         (System.getSecurityManager() != null);
 
 
+    /**
+     * If true, custom HTTP status messages will be used in headers.
+     */
+    public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+        Boolean.valueOf(System.getProperty(
+                "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER",
+                "false")).booleanValue(); 
 
 }

diff --git a/java/org/apache/coyote/ajp/AjpAprProcessor.java b/java/org/apache/coyote/ajp/AjpAprProcessor.java
index 00d2ddc..f404716 100644 (file)
--- a/java/org/apache/coyote/ajp/AjpAprProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpAprProcessor.java
@@ -917,7 +917,10 @@ public class AjpAprProcessor implements ActionHook {
 
         // HTTP header contents
         responseHeaderMessage.appendInt(response.getStatus());
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        } 
         if (message == null){
             message = HttpMessages.getMessage(response.getStatus());
         } else {

diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java
index fe4e17c..70bb391 100644 (file)
--- a/java/org/apache/coyote/ajp/AjpProcessor.java
+++ b/java/org/apache/coyote/ajp/AjpProcessor.java
@@ -923,7 +923,10 @@ public class AjpProcessor implements ActionHook {
 
         // HTTP header contents
         responseHeaderMessage.appendInt(response.getStatus());
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null){
             message = HttpMessages.getMessage(response.getStatus());
         } else {

diff --git a/java/org/apache/coyote/http11/InternalAprOutputBuffer.java b/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
index 926be3b..a668156 100644 (file)
--- a/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
+++ b/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
@@ -421,11 +421,14 @@ public class InternalAprOutputBuffer
         buf[pos++] = Constants.SP;
 
         // Write message
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null) {
             write(HttpMessages.getMessage(status));
         } else {
-            write(message);
+            write(message.replace('\n', ' ').replace('\r', ' '));
         }
 
         // End the response status line

diff --git a/java/org/apache/coyote/http11/InternalNioOutputBuffer.java b/java/org/apache/coyote/http11/InternalNioOutputBuffer.java
index 14b736b..9c70083 100644 (file)
--- a/java/org/apache/coyote/http11/InternalNioOutputBuffer.java
+++ b/java/org/apache/coyote/http11/InternalNioOutputBuffer.java
@@ -478,11 +478,14 @@ public class InternalNioOutputBuffer
         buf[pos++] = Constants.SP;
 
         // Write message
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null) {
             write(HttpMessages.getMessage(status));
         } else {
-            write(message);
+            write(message.replace('\n', ' ').replace('\r', ' '));
         }
 
         // End the response status line

diff --git a/java/org/apache/coyote/http11/InternalOutputBuffer.java b/java/org/apache/coyote/http11/InternalOutputBuffer.java
index 4445f23..efbfef8 100644 (file)
--- a/java/org/apache/coyote/http11/InternalOutputBuffer.java
+++ b/java/org/apache/coyote/http11/InternalOutputBuffer.java
@@ -438,11 +438,14 @@ public class InternalOutputBuffer
         buf[pos++] = Constants.SP;
 
         // Write message
-        String message = response.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = response.getMessage();
+        }
         if (message == null) {
-            write(getMessage(status));
+            write(HttpMessages.getMessage(status)); 
         } else {
-            write(message);
+            write(message.replace('\n', ' ').replace('\r', ' '));
         }
 
         // End the response status line

diff --git a/java/org/apache/jk/common/JkInputStream.java b/java/org/apache/jk/common/JkInputStream.java
index e2b363a..c23a103 100644 (file)
--- a/java/org/apache/jk/common/JkInputStream.java
+++ b/java/org/apache/jk/common/JkInputStream.java
@@ -272,7 +272,10 @@ public class JkInputStream implements InputBuffer, OutputBuffer {
         outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS);
         outputMsg.appendInt( res.getStatus() );
         
-        String message=res.getMessage();
+        String message = null;
+        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+            message = res.getMessage();
+        } 
         if( message==null ){
             message= HttpMessages.getMessage(res.getStatus());
         } else {

diff --git a/webapps/docs/config/systemprops.xml b/webapps/docs/config/systemprops.xml
index 3ac66f8..a792ae9 100644 (file)
--- a/webapps/docs/config/systemprops.xml
+++ b/webapps/docs/config/systemprops.xml
@@ -189,6 +189,15 @@
       be used.</p>
     </property>
 
+    <property
+    name="org.apache.coyote. USE_CUSTOM_STATUS_MSG_IN_HEADER"><p>If this is
+      <code>true</code> custom HTTP status messages will be used within HTTP
+      headers. Users must ensure that any such message is ISO-8859-1 encoded,
+      particularly if user provided input is included in the message, to prevent
+      a possible XSS vulnerability. If not specified the default value of
+      <code>false</code> will be used.</p>
+    </property>
+
   </properties>
 
 </section>