ASF Bugzilla – Attachment 34684 Details for
Bug 60594
RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch proposal
asfbz-60594.patch (text/plain), 2.18 KB, created by
Coty Sutherland
on 2017-01-27 18:42:03 UTC
(
hide
)
Description:
patch proposal
Filename:
MIME Type:
Creator:
Coty Sutherland
Created:
2017-01-27 18:42:03 UTC
Size:
2.18 KB
patch
obsolete
>Index: conf/catalina.properties >=================================================================== >--- conf/catalina.properties (revision 1780600) >+++ conf/catalina.properties (working copy) >@@ -131,3 +131,6 @@ > #tomcat.util.buf.StringCache.char.enabled=true > #tomcat.util.buf.StringCache.trainThreshold=500000 > #tomcat.util.buf.StringCache.cacheSize=5000 >+ >+# Allow for changes to HTTP request validation >+tomcat.util.http.parser.HttpParser.blacklist=" \"#<>\\^`{|}" >Index: java/org/apache/tomcat/util/http/parser/HttpParser.java >=================================================================== >--- java/org/apache/tomcat/util/http/parser/HttpParser.java (revision 1780600) >+++ java/org/apache/tomcat/util/http/parser/HttpParser.java (working copy) >@@ -61,6 +61,7 @@ > private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE]; > private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE]; > private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE]; >+ private static final boolean[] IS_IN_BLACKLIST = new boolean[ARRAY_SIZE]; > > static { > // Digest field types. >@@ -82,6 +83,13 @@ > // RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted > fieldTypes.put("nc", FIELD_TYPE_LHEX); > >+ String prop = System.getProperty("tomcat.util.http.parser.HttpParser.blacklist"); >+ if (prop != null) { >+ for (int i = 0; i < prop.length(); i++) { >+ IS_IN_BLACKLIST[prop.charAt(i)] = true; >+ } >+ } >+ > for (int i = 0; i < ARRAY_SIZE; i++) { > // Control> 0-31, 127 > if (i < 32 || i == 127) { >@@ -109,9 +117,7 @@ > // Not valid for request target. > // Combination of multiple rules from RFC7230 and RFC 3986. Must be > // ASCII, no controls plus a few additional characters excluded >- if (IS_CONTROL[i] || i > 127 || >- i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || >- i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { >+ if (IS_CONTROL[i] || i > 127 || IS_IN_BLACKLIST[i]) { > IS_NOT_REQUEST_TARGET[i] = true; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=34684">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 60594
:
34684
|
34687
|
34694
|
34698