|
Lines 23-28
Link Here
|
| 23 |
import java.util.Locale; |
23 |
import java.util.Locale; |
| 24 |
import java.util.Map; |
24 |
import java.util.Map; |
| 25 |
|
25 |
|
|
|
26 |
import org.apache.juli.logging.Log; |
| 27 |
import org.apache.juli.logging.LogFactory; |
| 28 |
|
| 26 |
/** |
29 |
/** |
| 27 |
* HTTP header value parser implementation. Parsing HTTP headers as per RFC2616 |
30 |
* HTTP header value parser implementation. Parsing HTTP headers as per RFC2616 |
| 28 |
* is not always as simple as it first appears. For headers that only use tokens |
31 |
* is not always as simple as it first appears. For headers that only use tokens |
|
Lines 43-48
Link Here
|
| 43 |
*/ |
46 |
*/ |
| 44 |
public class HttpParser { |
47 |
public class HttpParser { |
| 45 |
|
48 |
|
|
|
49 |
private static final Log log = LogFactory.getLog(HttpParser.class); |
| 50 |
|
| 46 |
@SuppressWarnings("unused") // Unused due to buggy client implementations |
51 |
@SuppressWarnings("unused") // Unused due to buggy client implementations |
| 47 |
private static final Integer FIELD_TYPE_TOKEN = Integer.valueOf(0); |
52 |
private static final Integer FIELD_TYPE_TOKEN = Integer.valueOf(0); |
| 48 |
private static final Integer FIELD_TYPE_QUOTED_STRING = Integer.valueOf(1); |
53 |
private static final Integer FIELD_TYPE_QUOTED_STRING = Integer.valueOf(1); |
|
Lines 61-66
Link Here
|
| 61 |
private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE]; |
66 |
private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE]; |
| 62 |
private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE]; |
67 |
private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE]; |
| 63 |
private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE]; |
68 |
private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE]; |
|
|
69 |
private static final boolean[] REQUEST_TARGET_ALLOW = new boolean[ARRAY_SIZE]; |
| 64 |
|
70 |
|
| 65 |
static { |
71 |
static { |
| 66 |
// Digest field types. |
72 |
// Digest field types. |
|
Lines 82-87
Link Here
|
| 82 |
// RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted |
88 |
// RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted |
| 83 |
fieldTypes.put("nc", FIELD_TYPE_LHEX); |
89 |
fieldTypes.put("nc", FIELD_TYPE_LHEX); |
| 84 |
|
90 |
|
|
|
91 |
String prop = System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow"); |
| 92 |
if (prop != null) { |
| 93 |
for (int i = 0; i < prop.length(); i++) { |
| 94 |
char c = prop.charAt(i); |
| 95 |
if (c == '{' || c == '}' || c == '|') { |
| 96 |
REQUEST_TARGET_ALLOW[c] = true; |
| 97 |
} else { |
| 98 |
log.warn("HttpParser: Character '" + c + "' is not allowed and will continue " |
| 99 |
+ "being rejected."); |
| 100 |
} |
| 101 |
} |
| 102 |
} |
| 103 |
|
| 85 |
for (int i = 0; i < ARRAY_SIZE; i++) { |
104 |
for (int i = 0; i < ARRAY_SIZE; i++) { |
| 86 |
// Control> 0-31, 127 |
105 |
// Control> 0-31, 127 |
| 87 |
if (i < 32 || i == 127) { |
106 |
if (i < 32 || i == 127) { |
|
Lines 112-118
Link Here
|
| 112 |
if (IS_CONTROL[i] || i > 127 || |
131 |
if (IS_CONTROL[i] || i > 127 || |
| 113 |
i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || |
132 |
i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || |
| 114 |
i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { |
133 |
i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { |
| 115 |
IS_NOT_REQUEST_TARGET[i] = true; |
134 |
if (!REQUEST_TARGET_ALLOW[i]) { |
|
|
135 |
IS_NOT_REQUEST_TARGET[i] = true; |
| 136 |
} |
| 116 |
} |
137 |
} |
| 117 |
|
138 |
|
| 118 |
// Not valid for HTTP protocol |
139 |
// Not valid for HTTP protocol |