[patch] whitelist proposal limiting characters with docs

asfbz-60594.whitelist-with-docs.patch (text/plain), 2.87 KB, created by Coty Sutherland on 2017-01-30 14:54:33 UTC

(hide)

Description: whitelist proposal limiting characters with docs

Filename:

MIME Type:

Creator: Coty Sutherland

Created: 2017-01-30 14:54:33 UTC

Size: 2.87 KB

patch

obsolete

>Index: conf/catalina.properties >=================================================================== >--- conf/catalina.properties (revision 1780600) >+++ conf/catalina.properties (working copy) >@@ -131,3 +131,6 @@ > #tomcat.util.buf.StringCache.char.enabled=true > #tomcat.util.buf.StringCache.trainThreshold=500000 > #tomcat.util.buf.StringCache.cacheSize=5000 >+ >+# Allow for changes to HTTP request validation >+#tomcat.util.http.parser.HttpParser.whitelist="|" >Index: java/org/apache/tomcat/util/http/parser/HttpParser.java >=================================================================== >--- java/org/apache/tomcat/util/http/parser/HttpParser.java (revision 1780600) >+++ java/org/apache/tomcat/util/http/parser/HttpParser.java (working copy) >@@ -61,6 +61,7 @@ > private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE]; > private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE]; > private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE]; >+ private static final boolean[] IS_IN_WHITELIST = new boolean[ARRAY_SIZE]; > > static { > // Digest field types. >@@ -82,6 +83,16 @@ > // RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted > fieldTypes.put("nc", FIELD_TYPE_LHEX); > >+ String prop = System.getProperty("tomcat.util.http.parser.HttpParser.whitelist"); >+ if (prop != null) { >+ for (int i = 0; i < prop.length(); i++) { >+ char c = prop.charAt(i); >+ if (c == '{' || c == '}' || c == '|') { >+ IS_IN_WHITELIST[c] = true; >+ } >+ } >+ } >+ > for (int i = 0; i < ARRAY_SIZE; i++) { > // Control> 0-31, 127 > if (i < 32 || i == 127) { >@@ -112,7 +123,9 @@ > if (IS_CONTROL[i] || i > 127 || > i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || > i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { >- IS_NOT_REQUEST_TARGET[i] = true; >+ if (!IS_IN_WHITELIST[i]) { >+ IS_NOT_REQUEST_TARGET[i] = true; >+ } > } > > // Not valid for HTTP protocol >Index: webapps/docs/config/systemprops.xml >=================================================================== >--- webapps/docs/config/systemprops.xml (revision 1780600) >+++ webapps/docs/config/systemprops.xml (working copy) >@@ -708,6 +708,12 @@ > <p>If not specified, the default value of <code>3</code> will be used.</p> > </property> > >+ <property name="tomcat.util.http.parser.HttpParser.whitelist"> >+ <p>A string comprised of characters the server should allow even when they are not encoded. >+ These characters would normally result in a 400 status.</p> >+ <p>If not specified, the default value of <code>null</code> will be used.</p> >+ </property> >+ > </properties> > > </section> View Attachment As Diff View Attachment As Raw

This is ASF Bugzilla: the Apache Software Foundation bug system. In case of problems with the functioning of ASF Bugzilla, please contact bugzilla-admin@apache.org. Please Note: this e-mail address is only for reporting problems with ASF Bugzilla. Mail about any other subject will be silently ignored.

• • Home
  • | New
  • | Browse
  • | Search
  • |
    [?]
  • | Reports
  • | Help
  • | New Account
  • | Log In
    Remember [x]
  • | Forgot Password
    Login: [x]