Lines 23-28
Link Here
|
23 |
import java.util.Locale; |
23 |
import java.util.Locale; |
24 |
import java.util.Map; |
24 |
import java.util.Map; |
25 |
|
25 |
|
|
|
26 |
import org.apache.juli.logging.Log; |
27 |
import org.apache.juli.logging.LogFactory; |
28 |
|
26 |
/** |
29 |
/** |
27 |
* HTTP header value parser implementation. Parsing HTTP headers as per RFC2616 |
30 |
* HTTP header value parser implementation. Parsing HTTP headers as per RFC2616 |
28 |
* is not always as simple as it first appears. For headers that only use tokens |
31 |
* is not always as simple as it first appears. For headers that only use tokens |
Lines 43-48
Link Here
|
43 |
*/ |
46 |
*/ |
44 |
public class HttpParser { |
47 |
public class HttpParser { |
45 |
|
48 |
|
|
|
49 |
private static final Log log = LogFactory.getLog(HttpParser.class); |
50 |
|
46 |
@SuppressWarnings("unused") // Unused due to buggy client implementations |
51 |
@SuppressWarnings("unused") // Unused due to buggy client implementations |
47 |
private static final Integer FIELD_TYPE_TOKEN = Integer.valueOf(0); |
52 |
private static final Integer FIELD_TYPE_TOKEN = Integer.valueOf(0); |
48 |
private static final Integer FIELD_TYPE_QUOTED_STRING = Integer.valueOf(1); |
53 |
private static final Integer FIELD_TYPE_QUOTED_STRING = Integer.valueOf(1); |
Lines 61-66
Link Here
|
61 |
private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE]; |
66 |
private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE]; |
62 |
private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE]; |
67 |
private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE]; |
63 |
private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE]; |
68 |
private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE]; |
|
|
69 |
private static final boolean[] REQUEST_TARGET_ALLOW = new boolean[ARRAY_SIZE]; |
64 |
|
70 |
|
65 |
static { |
71 |
static { |
66 |
// Digest field types. |
72 |
// Digest field types. |
Lines 82-87
Link Here
|
82 |
// RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted |
88 |
// RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted |
83 |
fieldTypes.put("nc", FIELD_TYPE_LHEX); |
89 |
fieldTypes.put("nc", FIELD_TYPE_LHEX); |
84 |
|
90 |
|
|
|
91 |
String prop = System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow"); |
92 |
if (prop != null) { |
93 |
for (int i = 0; i < prop.length(); i++) { |
94 |
char c = prop.charAt(i); |
95 |
if (c == '{' || c == '}' || c == '|') { |
96 |
REQUEST_TARGET_ALLOW[c] = true; |
97 |
} else { |
98 |
log.warn("HttpParser: Character '" + c + "' is not allowed and will continue " |
99 |
+ "being rejected."); |
100 |
} |
101 |
} |
102 |
} |
103 |
|
85 |
for (int i = 0; i < ARRAY_SIZE; i++) { |
104 |
for (int i = 0; i < ARRAY_SIZE; i++) { |
86 |
// Control> 0-31, 127 |
105 |
// Control> 0-31, 127 |
87 |
if (i < 32 || i == 127) { |
106 |
if (i < 32 || i == 127) { |
Lines 112-118
Link Here
|
112 |
if (IS_CONTROL[i] || i > 127 || |
131 |
if (IS_CONTROL[i] || i > 127 || |
113 |
i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || |
132 |
i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || |
114 |
i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { |
133 |
i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { |
115 |
IS_NOT_REQUEST_TARGET[i] = true; |
134 |
if (!REQUEST_TARGET_ALLOW[i]) { |
|
|
135 |
IS_NOT_REQUEST_TARGET[i] = true; |
136 |
} |
116 |
} |
137 |
} |
117 |
|
138 |
|
118 |
// Not valid for HTTP protocol |
139 |
// Not valid for HTTP protocol |