From: markt Date: Thu, 3 Jul 2008 20:52:42 +0000 (+0000) Subject: Make filtering of /r and /n in headers consistent for all connectors. X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=690cef7acca99e33ffc959a164c0320cc01a0ace;p=tomcat7.0 Make filtering of /r and /n in headers consistent for all connectors. Make handling of 404s consistent across components. Provide option to include custom status message in headers. SRV.5.3 suggests custom messages are intended for the body of the response, not the status line. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@673796 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/core/StandardContextValve.java b/java/org/apache/catalina/core/StandardContextValve.java index 57d86b0c5..dd4483619 100644 --- a/java/org/apache/catalina/core/StandardContextValve.java +++ b/java/org/apache/catalina/core/StandardContextValve.java @@ -120,8 +120,7 @@ final class StandardContextValve || (requestPathMB.equalsIgnoreCase("/META-INF")) || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0)) || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } @@ -148,15 +147,13 @@ final class StandardContextValve // Select the Wrapper to be used for this Request Wrapper wrapper = request.getWrapper(); if (wrapper == null) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } else if (wrapper.isUnavailable()) { // May be as a result of a reload, try and find the new wrapper wrapper = (Wrapper) container.findChild(wrapper.getName()); if (wrapper == null) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } } @@ -305,13 +302,12 @@ final class StandardContextValve * application, but currently that code runs at the wrapper level rather * than the context level. * - * @param requestURI The request URI for the requested resource * @param response The response we are creating */ - private void notFound(String requestURI, HttpServletResponse response) { + private void notFound(HttpServletResponse response) { try { - response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI); + response.sendError(HttpServletResponse.SC_NOT_FOUND); } catch (IllegalStateException e) { ; } catch (IOException e) { diff --git a/java/org/apache/coyote/Constants.java b/java/org/apache/coyote/Constants.java index 94647f127..1ce03fde1 100644 --- a/java/org/apache/coyote/Constants.java +++ b/java/org/apache/coyote/Constants.java @@ -60,5 +60,12 @@ public final class Constants { (System.getSecurityManager() != null); + /** + * If true, custom HTTP status messages will be used in headers. + */ + public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER = + Boolean.valueOf(System.getProperty( + "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER", + "false")).booleanValue(); } diff --git a/java/org/apache/coyote/ajp/AjpAprProcessor.java b/java/org/apache/coyote/ajp/AjpAprProcessor.java index 00d2ddca5..f404716bd 100644 --- a/java/org/apache/coyote/ajp/AjpAprProcessor.java +++ b/java/org/apache/coyote/ajp/AjpAprProcessor.java @@ -917,7 +917,10 @@ public class AjpAprProcessor implements ActionHook { // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); } else { diff --git a/java/org/apache/coyote/ajp/AjpProcessor.java b/java/org/apache/coyote/ajp/AjpProcessor.java index fe4e17cfd..70bb3919c 100644 --- a/java/org/apache/coyote/ajp/AjpProcessor.java +++ b/java/org/apache/coyote/ajp/AjpProcessor.java @@ -923,7 +923,10 @@ public class AjpProcessor implements ActionHook { // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); } else { diff --git a/java/org/apache/coyote/http11/InternalAprOutputBuffer.java b/java/org/apache/coyote/http11/InternalAprOutputBuffer.java index 926be3b03..a66815685 100644 --- a/java/org/apache/coyote/http11/InternalAprOutputBuffer.java +++ b/java/org/apache/coyote/http11/InternalAprOutputBuffer.java @@ -421,11 +421,14 @@ public class InternalAprOutputBuffer buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line diff --git a/java/org/apache/coyote/http11/InternalNioOutputBuffer.java b/java/org/apache/coyote/http11/InternalNioOutputBuffer.java index 14b736b70..9c700838a 100644 --- a/java/org/apache/coyote/http11/InternalNioOutputBuffer.java +++ b/java/org/apache/coyote/http11/InternalNioOutputBuffer.java @@ -478,11 +478,14 @@ public class InternalNioOutputBuffer buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line diff --git a/java/org/apache/coyote/http11/InternalOutputBuffer.java b/java/org/apache/coyote/http11/InternalOutputBuffer.java index 4445f2305..efbfef81c 100644 --- a/java/org/apache/coyote/http11/InternalOutputBuffer.java +++ b/java/org/apache/coyote/http11/InternalOutputBuffer.java @@ -438,11 +438,14 @@ public class InternalOutputBuffer buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { - write(getMessage(status)); + write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line diff --git a/java/org/apache/jk/common/JkInputStream.java b/java/org/apache/jk/common/JkInputStream.java index e2b363a74..c23a10336 100644 --- a/java/org/apache/jk/common/JkInputStream.java +++ b/java/org/apache/jk/common/JkInputStream.java @@ -272,7 +272,10 @@ public class JkInputStream implements InputBuffer, OutputBuffer { outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS); outputMsg.appendInt( res.getStatus() ); - String message=res.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = res.getMessage(); + } if( message==null ){ message= HttpMessages.getMessage(res.getStatus()); } else { diff --git a/webapps/docs/config/systemprops.xml b/webapps/docs/config/systemprops.xml index 3ac66f88c..a792ae95a 100644 --- a/webapps/docs/config/systemprops.xml +++ b/webapps/docs/config/systemprops.xml @@ -189,6 +189,15 @@ be used.

+

If this is + true custom HTTP status messages will be used within HTTP + headers. Users must ensure that any such message is ISO-8859-1 encoded, + particularly if user provided input is included in the message, to prevent + a possible XSS vulnerability. If not specified the default value of + false will be used.

+ +