From b677f70334f2613aa92cca2c66e0674d98652db9 Mon Sep 17 00:00:00 2001 From: markt Date: Wed, 4 Feb 2009 07:00:03 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46606 Max max depth limit configurable git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@740635 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/catalina/servlets/WebdavServlet.java | 31 +++++++++++++--------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java index e79ca0caf..7ce2ab9bd 100644 --- a/java/org/apache/catalina/servlets/WebdavServlet.java +++ b/java/org/apache/catalina/servlets/WebdavServlet.java @@ -132,12 +132,6 @@ public class WebdavServlet /** - * Default depth is infite. - */ - private static final int INFINITY = 3; // To limit tree browsing a bit - - - /** * PROPFIND - Specify a property mask. */ private static final int FIND_BY_PROPERTY = 0; @@ -250,6 +244,13 @@ public class WebdavServlet private String secret = "catalina"; + /** + * Default depth in spec is infinite. Limit depth to 3 by default as + * infinite depth makes operations very expensive. + */ + private int maxDepth = 3; + + // --------------------------------------------------------- Public Methods @@ -264,6 +265,10 @@ public class WebdavServlet if (getServletConfig().getInitParameter("secret") != null) secret = getServletConfig().getInitParameter("secret"); + if (getServletConfig().getInitParameter("maxDepth") != null) + maxDepth = Integer.parseInt( + getServletConfig().getInitParameter("maxDepth")); + // Load the MD5 helper used to calculate signatures. try { md5Helper = MessageDigest.getInstance("MD5"); @@ -438,21 +443,21 @@ public class WebdavServlet // Properties which are to be displayed. Vector properties = null; // Propfind depth - int depth = INFINITY; + int depth = maxDepth; // Propfind type int type = FIND_ALL_PROP; String depthStr = req.getHeader("Depth"); if (depthStr == null) { - depth = INFINITY; + depth = maxDepth; } else { if (depthStr.equals("0")) { depth = 0; } else if (depthStr.equals("1")) { depth = 1; } else if (depthStr.equals("infinity")) { - depth = INFINITY; + depth = maxDepth; } } @@ -878,12 +883,12 @@ public class WebdavServlet String depthStr = req.getHeader("Depth"); if (depthStr == null) { - lock.depth = INFINITY; + lock.depth = maxDepth; } else { if (depthStr.equals("0")) { lock.depth = 0; } else { - lock.depth = INFINITY; + lock.depth = maxDepth; } } @@ -1090,7 +1095,7 @@ public class WebdavServlet md5Encoder.encode(md5Helper.digest(lockTokenStr.getBytes())); if ( (exists) && (object instanceof DirContext) && - (lock.depth == INFINITY) ) { + (lock.depth == maxDepth) ) { // Locking a collection (and all its member resources) @@ -2731,7 +2736,7 @@ public class WebdavServlet generatedXML.writeElement(null, "lockscope", XMLWriter.CLOSING); generatedXML.writeElement(null, "depth", XMLWriter.OPENING); - if (depth == INFINITY) { + if (depth == maxDepth) { generatedXML.writeText("Infinity"); } else { generatedXML.writeText("0"); -- 2.11.0