|Summary:||pattern verification broken|
|Product:||Tomcat 5||Reporter:||Marius Scurtescu <marius.scurtescu>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Patch to SecurityCollection.java to fix the Suspicious warning messages
Modified patch to SecurityCollection w/ better link
Patch: fixed possible indexOutOfBounds Exception for url-patterns which are just '*'
Description Marius Scurtescu 2007-08-09 15:12:32 UTC
The addPattern method of SecurityCollection looks for suspicious URL patterns and reports them as warnings if in debug mode. The second if, the one checking for second to last '/' is broken. Instead of: if (pattern.charAt(pattern.length()-1) != '/') it probably should be: if (pattern.charAt(pattern.length()-2) != '/') The code makes reference to bug 34805, this is where this code was proposed as a patch to RealmBase originally. This issue was reported there in comment #4 (and approved).
Comment 1 John Kew 2007-08-10 14:33:48 UTC
Created attachment 20640 [details] Patch to SecurityCollection.java to fix the Suspicious warning messages I tested this on tc5.5x without and there were decent number of errant warnings for any '/*' patterns. This patch removed them.
Comment 2 Marius Scurtescu 2007-08-10 14:43:46 UTC
Also, if possible, in the log message you may want to point to the servlet 2.4 documentation, since this is what tomcat 5.5 supports. Currently it is pointing to a servlet 2.3 pdf document.
Comment 3 John Kew 2007-09-13 10:55:30 UTC
Comment on attachment 20640 [details] Patch to SecurityCollection.java to fix the Suspicious warning messages old patch
Comment 4 John Kew 2007-09-13 10:59:14 UTC
Created attachment 20820 [details] Modified patch to SecurityCollection w/ better link Added a slightly better link to the documentation. referenced this bug.
Comment 5 John Kew 2007-09-13 12:53:45 UTC
Created attachment 20821 [details] Patch: fixed possible indexOutOfBounds Exception for url-patterns which are just '*' Found a bug in the original patch. It didn't check if the length was < 2. This is a bad url, so we also print the error under these conditions.
Comment 6 Mark Thomas 2008-05-04 03:43:20 UTC
Thanks for the patch. This has been fixed in trunk and proposed for 6.0.x and 5.5.x
Comment 7 Mark Thomas 2008-05-15 12:57:13 UTC
This has been fixed in 6.0.x and will be included in 6.0.17 onwards.
Comment 8 Mark Thomas 2008-07-30 13:38:53 UTC
This has been fixed in 5.5.x and will be included in 5.5.27 onwards.