ASF Bugzilla – Attachment 34694 Details for
Bug 60594
RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
whitelist proposal limiting characters with docs
asfbz-60594.whitelist-with-docs.patch (text/plain), 2.87 KB, created by
Coty Sutherland
on 2017-01-30 14:54:33 UTC
(
hide
)
Description:
whitelist proposal limiting characters with docs
Filename:
MIME Type:
Creator:
Coty Sutherland
Created:
2017-01-30 14:54:33 UTC
Size:
2.87 KB
patch
obsolete
>Index: conf/catalina.properties >=================================================================== >--- conf/catalina.properties (revision 1780600) >+++ conf/catalina.properties (working copy) >@@ -131,3 +131,6 @@ > #tomcat.util.buf.StringCache.char.enabled=true > #tomcat.util.buf.StringCache.trainThreshold=500000 > #tomcat.util.buf.StringCache.cacheSize=5000 >+ >+# Allow for changes to HTTP request validation >+#tomcat.util.http.parser.HttpParser.whitelist="|" >Index: java/org/apache/tomcat/util/http/parser/HttpParser.java >=================================================================== >--- java/org/apache/tomcat/util/http/parser/HttpParser.java (revision 1780600) >+++ java/org/apache/tomcat/util/http/parser/HttpParser.java (working copy) >@@ -61,6 +61,7 @@ > private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE]; > private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE]; > private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE]; >+ private static final boolean[] IS_IN_WHITELIST = new boolean[ARRAY_SIZE]; > > static { > // Digest field types. >@@ -82,6 +83,16 @@ > // RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted > fieldTypes.put("nc", FIELD_TYPE_LHEX); > >+ String prop = System.getProperty("tomcat.util.http.parser.HttpParser.whitelist"); >+ if (prop != null) { >+ for (int i = 0; i < prop.length(); i++) { >+ char c = prop.charAt(i); >+ if (c == '{' || c == '}' || c == '|') { >+ IS_IN_WHITELIST[c] = true; >+ } >+ } >+ } >+ > for (int i = 0; i < ARRAY_SIZE; i++) { > // Control> 0-31, 127 > if (i < 32 || i == 127) { >@@ -112,7 +123,9 @@ > if (IS_CONTROL[i] || i > 127 || > i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || > i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { >- IS_NOT_REQUEST_TARGET[i] = true; >+ if (!IS_IN_WHITELIST[i]) { >+ IS_NOT_REQUEST_TARGET[i] = true; >+ } > } > > // Not valid for HTTP protocol >Index: webapps/docs/config/systemprops.xml >=================================================================== >--- webapps/docs/config/systemprops.xml (revision 1780600) >+++ webapps/docs/config/systemprops.xml (working copy) >@@ -708,6 +708,12 @@ > <p>If not specified, the default value of <code>3</code> will be used.</p> > </property> > >+ <property name="tomcat.util.http.parser.HttpParser.whitelist"> >+ <p>A string comprised of characters the server should allow even when they are not encoded. >+ These characters would normally result in a 400 status.</p> >+ <p>If not specified, the default value of <code>null</code> will be used.</p> >+ </property> >+ > </properties> > > </section>
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 60594
:
34684
|
34687
|
34694
|
34698