Attachment #34687 for bug #60594

View | Details | Raw Unified | Return to bug 60594
Collapse All | Expand All

Lines 131-133 Link Here

(-)conf/catalina.properties (+3 lines)
131	#tomcat.util.buf.StringCache.char.enabled=true	131	#tomcat.util.buf.StringCache.char.enabled=true
132	#tomcat.util.buf.StringCache.trainThreshold=500000	132	#tomcat.util.buf.StringCache.trainThreshold=500000
133	#tomcat.util.buf.StringCache.cacheSize=5000	133	#tomcat.util.buf.StringCache.cacheSize=5000
		134
		135	# Allow for changes to HTTP request validation
		136	#tomcat.util.http.parser.HttpParser.whitelist="\|"

Lines 61-66 Link Here

(-)java/org/apache/tomcat/util/http/parser/HttpParser.java (-1 / +11 lines)
61	private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE];	61	private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE];
62	private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE];	62	private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE];
63	private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE];	63	private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE];
		64	private static final boolean[] IS_IN_WHITELIST = new boolean[ARRAY_SIZE];
64		65
65	static {	66	static {
66	// Digest field types.	67	// Digest field types.
Lines 82-87 Link Here
82	// RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted	83	// RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted
83	fieldTypes.put("nc", FIELD_TYPE_LHEX);	84	fieldTypes.put("nc", FIELD_TYPE_LHEX);
84		85
		86	String prop = System.getProperty("tomcat.util.http.parser.HttpParser.whitelist");
		87	if (prop != null) {
		88	for (int i = 0; i < prop.length(); i++) {
		89	IS_IN_WHITELIST[prop.charAt(i)] = true;
		90	}
		91	}
		92
85	for (int i = 0; i < ARRAY_SIZE; i++) {	93	for (int i = 0; i < ARRAY_SIZE; i++) {
86	// Control> 0-31, 127	94	// Control> 0-31, 127
87	if (i < 32 \|\| i == 127) {	95	if (i < 32 \|\| i == 127) {
Lines 112-118 Link Here
112	if (IS_CONTROL[i] \|\| i > 127 \|\|	120	if (IS_CONTROL[i] \|\| i > 127 \|\|
113	i == ' ' \|\| i == '\"' \|\| i == '#' \|\| i == '<' \|\| i == '>' \|\| i == '\\' \|\|	121	i == ' ' \|\| i == '\"' \|\| i == '#' \|\| i == '<' \|\| i == '>' \|\| i == '\\' \|\|
114	i == '^' \|\| i == '`' \|\| i == '{' \|\| i == '\|' \|\| i == '}') {	122	i == '^' \|\| i == '`' \|\| i == '{' \|\| i == '\|' \|\| i == '}') {
115	IS_NOT_REQUEST_TARGET[i] = true;	123	if (!IS_IN_WHITELIST[i]) {
		124	IS_NOT_REQUEST_TARGET[i] = true;
		125	}
116	}	126	}
117		127
118	// Not valid for HTTP protocol	128	// Not valid for HTTP protocol

Return to bug 60594