JBossWeb SVN: r319 - branches/2.0.x/src/share/classes/org/apache/catalina/servlets.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-21 08:51:27 -0400 (Sun, 21 Oct 2007)
New Revision: 319
Modified:
branches/2.0.x/src/share/classes/org/apache/catalina/servlets/WebdavServlet.java
Log:
- Also add a dummy entity resolver (some XML parsers do not
respect the expand flag).
Modified: branches/2.0.x/src/share/classes/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- branches/2.0.x/src/share/classes/org/apache/catalina/servlets/WebdavServlet.java 2007-10-21 12:36:05 UTC (rev 318)
+++ branches/2.0.x/src/share/classes/org/apache/catalina/servlets/WebdavServlet.java 2007-10-21 12:51:27 UTC (rev 319)
@@ -20,6 +20,7 @@
import java.io.IOException;
+import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
import java.security.MessageDigest;
@@ -56,6 +57,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
@@ -244,6 +246,13 @@
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver
+ (new EntityResolver() {
+ public InputSource resolveEntity(String publicId, String systemId)
+ throws SAXException, IOException {
+ return new InputSource(new StringReader(""));
+ }
+ });
} catch(ParserConfigurationException e) {
throw new ServletException
(sm.getString("webdavservlet.jaxpfailed"));
17 years, 2 months
JBossWeb SVN: r318 - trunk/java/org/apache/catalina/servlets.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-21 08:36:05 -0400 (Sun, 21 Oct 2007)
New Revision: 318
Modified:
trunk/java/org/apache/catalina/servlets/LocalStrings.properties
trunk/java/org/apache/catalina/servlets/WebdavServlet.java
Log:
- Replace entity with blank text.
Modified: trunk/java/org/apache/catalina/servlets/LocalStrings.properties
===================================================================
--- trunk/java/org/apache/catalina/servlets/LocalStrings.properties 2007-10-20 23:36:09 UTC (rev 317)
+++ trunk/java/org/apache/catalina/servlets/LocalStrings.properties 2007-10-21 12:36:05 UTC (rev 318)
@@ -10,7 +10,6 @@
invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
webdavservlet.jaxpfailed=JAXP initialization failed
-webdavservlet.noentities=Entities are not allowed
directory.filename=Filename
directory.lastModified=Last Modified
directory.parent=Up To {0}
Modified: trunk/java/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- trunk/java/org/apache/catalina/servlets/WebdavServlet.java 2007-10-20 23:36:09 UTC (rev 317)
+++ trunk/java/org/apache/catalina/servlets/WebdavServlet.java 2007-10-21 12:36:05 UTC (rev 318)
@@ -20,6 +20,7 @@
import java.io.IOException;
+import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
import java.security.MessageDigest;
@@ -250,7 +251,7 @@
(new EntityResolver() {
public InputSource resolveEntity(String publicId, String systemId)
throws SAXException, IOException {
- throw new IllegalStateException(sm.getString("webdavservlet.noentities"));
+ return new InputSource(new StringReader(""));
}
});
} catch(ParserConfigurationException e) {
17 years, 2 months
JBossWeb SVN: r317 - in trunk: webapps/docs and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-20 19:36:09 -0400 (Sat, 20 Oct 2007)
New Revision: 317
Modified:
trunk/java/org/apache/tomcat/util/http/Cookies.java
trunk/java/org/apache/tomcat/util/http/ServerCookie.java
trunk/webapps/docs/changelog.xml
Log:
- Port cookie escaping improvements (just in case ...).
Modified: trunk/java/org/apache/tomcat/util/http/Cookies.java
===================================================================
--- trunk/java/org/apache/tomcat/util/http/Cookies.java 2007-10-20 00:50:54 UTC (rev 316)
+++ trunk/java/org/apache/tomcat/util/http/Cookies.java 2007-10-20 23:36:09 UTC (rev 317)
@@ -35,6 +35,9 @@
*/
public final class Cookies { // extends MultiMap {
+ private static org.jboss.logging.Logger log=
+ org.jboss.logging.Logger.getLogger(Cookies.class );
+
// expected average number of cookies per request
public static final int INITIAL_SIZE=4;
ServerCookie scookies[]=new ServerCookie[INITIAL_SIZE];
@@ -187,11 +190,13 @@
// Uncomment to test the new parsing code
if( cookieValue.getType() == MessageBytes.T_BYTES ) {
+ if( dbg>0 ) log( "Parsing b[]: " + cookieValue.toString());
ByteChunk bc=cookieValue.getByteChunk();
processCookieHeader( bc.getBytes(),
bc.getOffset(),
bc.getLength());
} else {
+ if( dbg>0 ) log( "Parsing S: " + cookieValue.toString());
processCookieHeader( cookieValue.toString() );
}
pos++;// search from the next position
@@ -219,7 +224,7 @@
private void processCookieHeader( String cookieString )
{
-
+ if( dbg>0 ) log( "Parsing cookie header " + cookieString );
// normal cookie, with a string value.
// This is the original code, un-optimized - it shouldn't
// happen in normal case
@@ -243,7 +248,7 @@
cookie.getName().setString(name);
cookie.getValue().setString(value);
-
+ if( dbg > 0 ) log( "Add cookie " + name + "=" + value);
} else {
// we have a bad cookie.... just let it go
}
@@ -274,6 +279,14 @@
}
+ // log
+ static final int dbg=0;
+ public void log(String s ) {
+ if (log.isDebugEnabled())
+ log.debug("Cookies: " + s);
+ }
+
+
/**
* Returns true if the byte is a separator character as
* defined in RFC2619. Since this is called often, this
@@ -332,9 +345,11 @@
int version = 0;
ServerCookie sc=null;
boolean isSpecial;
+ boolean isQuoted;
while (pos < end) {
isSpecial = false;
+ isQuoted = false;
// Skip whitespace and non-token characters (separators)
while (pos < end &&
@@ -376,6 +391,7 @@
// token, name-only with an '=', or other (bad)
switch (bytes[pos]) {
case '"':; // Quoted Value
+ isQuoted = true;
valueStart=pos + 1; // strip "
// getQuotedValue returns the position before
// at the last qoute. This must be dealt with
@@ -410,6 +426,7 @@
// INVALID COOKIE, advance to next delimiter
// The starting character of the cookie value was
// not valid.
+ log("Invalid cookie. Value not a token or quoted value");
while (pos < end && bytes[pos] != ';' &&
bytes[pos] != ',')
{pos++; };
@@ -507,7 +524,8 @@
continue;
}
- // Unknown cookie
+ // Unknown cookie, complain
+ log("Unknown Special Cookie");
} else { // Normal Cookie
sc = addCookie();
@@ -517,7 +535,12 @@
if (valueStart != -1) { // Normal AVPair
sc.getValue().setBytes( bytes, valueStart,
- valueEnd-valueStart);
+ valueEnd-valueStart);
+ if (isQuoted) {
+ // We know this is a byte value so this is safe
+ ServerCookie.unescapeDoubleQuotes(
+ sc.getValue().getByteChunk());
+ }
} else {
// Name Only
sc.getValue().setString("");
Modified: trunk/java/org/apache/tomcat/util/http/ServerCookie.java
===================================================================
--- trunk/java/org/apache/tomcat/util/http/ServerCookie.java 2007-10-20 00:50:54 UTC (rev 316)
+++ trunk/java/org/apache/tomcat/util/http/ServerCookie.java 2007-10-20 23:36:09 UTC (rev 317)
@@ -21,13 +21,14 @@
import java.text.FieldPosition;
import java.util.Date;
+import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.DateTool;
import org.apache.tomcat.util.buf.MessageBytes;
/**
* Server-side cookie representation.
- * Allows recycling and uses MessageBytes as low-level
+ * Allows recycling and uses MessageBytes as low-level
* representation ( and thus the byte-> char conversion can be delayed
* until we know the charset ).
*
@@ -39,253 +40,265 @@
private static org.jboss.logging.Logger log=
org.jboss.logging.Logger.getLogger(ServerCookie.class );
-
+
+ // Version 0 (Netscape) attributes
private MessageBytes name=MessageBytes.newInstance();
private MessageBytes value=MessageBytes.newInstance();
+ // Expires - Not stored explicitly. Generated from Max-Age (see V1)
+ private MessageBytes path=MessageBytes.newInstance();
+ private MessageBytes domain=MessageBytes.newInstance();
+ private boolean secure;
+
+ // Version 1 (RFC2109) attributes
+ private MessageBytes comment=MessageBytes.newInstance();
+ private int maxAge = -1;
+ private int version = 0;
- private MessageBytes comment=MessageBytes.newInstance(); // ;Comment=VALUE
- private MessageBytes domain=MessageBytes.newInstance(); // ;Domain=VALUE ...
+ // Note: Servlet Spec =< 2.5 only refers to Netscape and RFC2109,
+ // not RFC2965
- private int maxAge = -1; // ;Max-Age=VALUE
- // ;Discard ... implied by maxAge < 0
- // RFC2109: maxAge=0 will end a session
- private MessageBytes path=MessageBytes.newInstance(); // ;Path=VALUE .
- private boolean secure; // ;Secure
- private int version = 0; // ;Version=1
+ // Version 1 (RFC2965) attributes
+ // TODO Add support for CommentURL
+ // Discard - implied by maxAge <0
+ // TODO Add support for Port
- //XXX CommentURL, Port -> use notes ?
-
public ServerCookie() {
-
}
public void recycle() {
path.recycle();
- name.recycle();
- value.recycle();
- comment.recycle();
- maxAge=-1;
- path.recycle();
+ name.recycle();
+ value.recycle();
+ comment.recycle();
+ maxAge=-1;
+ path.recycle();
domain.recycle();
- version=0;
- secure=false;
+ version=0;
+ secure=false;
}
public MessageBytes getComment() {
- return comment;
+ return comment;
}
public MessageBytes getDomain() {
- return domain;
+ return domain;
}
public void setMaxAge(int expiry) {
- maxAge = expiry;
+ maxAge = expiry;
}
public int getMaxAge() {
- return maxAge;
+ return maxAge;
}
-
public MessageBytes getPath() {
- return path;
+ return path;
}
public void setSecure(boolean flag) {
- secure = flag;
+ secure = flag;
}
public boolean getSecure() {
- return secure;
+ return secure;
}
public MessageBytes getName() {
- return name;
+ return name;
}
public MessageBytes getValue() {
- return value;
+ return value;
}
public int getVersion() {
- return version;
+ return version;
}
-
public void setVersion(int v) {
- version = v;
+ version = v;
}
// -------------------- utils --------------------
+ public static void log(String s ) {
+ if (log.isDebugEnabled())
+ log.debug("ServerCookie: " + s);
+ }
+
public String toString() {
- return "Cookie " + getName() + "=" + getValue() + " ; "
- + getVersion() + " " + getPath() + " " + getDomain();
+ return "Cookie " + getName() + "=" + getValue() + " ; "
+ + getVersion() + " " + getPath() + " " + getDomain();
}
- // Note -- disabled for now to allow full Netscape compatibility
- // from RFC 2068, token special case characters
- //
- // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
private static final String tspecials = ",; ";
- private static final String tspecials2 = ",; \"";
+ private static final String tspecials2 = "()<>@,;:\\\"/[]?={} \t";
/*
* Tests a string and returns true if the string counts as a
* reserved token in the Java language.
*
- * @param value the <code>String</code> to be tested
+ * @param value the <code>String</code> to be tested
*
- * @return <code>true</code> if the <code>String</code> is
- * a reserved token; <code>false</code>
- * if it is not
+ * @return <code>true</code> if the <code>String</code> is a reserved
+ * token; <code>false</code> if it is not
*/
public static boolean isToken(String value) {
- if( value==null) return true;
- int len = value.length();
+ if( value==null) return true;
+ int len = value.length();
- for (int i = 0; i < len; i++) {
- char c = value.charAt(i);
+ for (int i = 0; i < len; i++) {
+ char c = value.charAt(i);
- if (c < 0x20 || c >= 0x7f || tspecials.indexOf(c) != -1)
- return false;
- }
- return true;
+ if (c < 0x20 || c >= 0x7f || tspecials.indexOf(c) != -1)
+ return false;
+ }
+ return true;
}
public static boolean isToken2(String value) {
- if( value==null) return true;
- int len = value.length();
+ if( value==null) return true;
+ int len = value.length();
- for (int i = 0; i < len; i++) {
- char c = value.charAt(i);
+ for (int i = 0; i < len; i++) {
+ char c = value.charAt(i);
- if (c < 0x20 || c >= 0x7f || tspecials2.indexOf(c) != -1)
- return false;
- }
- return true;
+ if (c < 0x20 || c >= 0x7f || tspecials2.indexOf(c) != -1)
+ return false;
+ }
+ return true;
}
+ /**
+ * @deprecated - Not used
+ */
public static boolean checkName( String name ) {
- if (!isToken(name)
- || name.equalsIgnoreCase("Comment") // rfc2019
- || name.equalsIgnoreCase("Discard") // 2019++
- || name.equalsIgnoreCase("Domain")
- || name.equalsIgnoreCase("Expires") // (old cookies)
- || name.equalsIgnoreCase("Max-Age") // rfc2019
- || name.equalsIgnoreCase("Path")
- || name.equalsIgnoreCase("Secure")
- || name.equalsIgnoreCase("Version")
- ) {
- return false;
- }
- return true;
+ if (!isToken(name)
+ || name.equalsIgnoreCase("Comment") // rfc2019
+ || name.equalsIgnoreCase("Discard") // rfc2965
+ || name.equalsIgnoreCase("Domain") // rfc2019
+ || name.equalsIgnoreCase("Expires") // Netscape
+ || name.equalsIgnoreCase("Max-Age") // rfc2019
+ || name.equalsIgnoreCase("Path") // rfc2019
+ || name.equalsIgnoreCase("Secure") // rfc2019
+ || name.equalsIgnoreCase("Version") // rfc2019
+ // TODO remaining RFC2965 attributes
+ ) {
+ return false;
+ }
+ return true;
}
// -------------------- Cookie parsing tools
- /** Return the header name to set the cookie, based on cookie
- * version
+ /**
+ * Return the header name to set the cookie, based on cookie version.
*/
public String getCookieHeaderName() {
- return getCookieHeaderName(version);
+ return getCookieHeaderName(version);
}
- /** Return the header name to set the cookie, based on cookie
- * version
+ /**
+ * Return the header name to set the cookie, based on cookie version.
*/
public static String getCookieHeaderName(int version) {
- if( dbg>0 ) log( (version==1) ? "Set-Cookie2" : "Set-Cookie");
+ // TODO Re-enable logging when RFC2965 is implemented
+ // log( (version==1) ? "Set-Cookie2" : "Set-Cookie");
if (version == 1) {
- // RFC2109
- return "Set-Cookie";
- // XXX RFC2965 is not standard yet, and Set-Cookie2
- // is not supported by Netscape 4, 6, IE 3, 5 .
- // It is supported by Lynx, and there is hope
- // return "Set-Cookie2";
+ // XXX RFC2965 not referenced in Servlet Spec
+ // Set-Cookie2 is not supported by Netscape 4, 6, IE 3, 5
+ // Set-Cookie2 is supported by Lynx and Opera
+ // Need to check on later IE and FF releases but for now...
+ // RFC2109
+ return "Set-Cookie";
+ // return "Set-Cookie2";
} else {
- // Old Netscape
- return "Set-Cookie";
+ // Old Netscape
+ return "Set-Cookie";
}
}
- private static final String ancientDate=DateTool.formatOldCookie(new Date(10000));
+ private static final String ancientDate =
+ DateTool.formatOldCookie(new Date(10000));
+ // TODO RFC2965 fields also need to be passed
public static void appendCookieValue( StringBuffer buf,
- int version,
- String name,
- String value,
- String path,
- String domain,
- String comment,
- int maxAge,
- boolean isSecure )
+ int version,
+ String name,
+ String value,
+ String path,
+ String domain,
+ String comment,
+ int maxAge,
+ boolean isSecure )
{
- // this part is the same for all cookies
- buf.append( name );
+ // Servlet implementation checks name
+ buf.append( name );
buf.append("=");
+ // Servlet implementation does not check anything else
+
maybeQuote2(version, buf, value);
- // XXX Netscape cookie: "; "
- // add version 1 specific information
- if (version == 1) {
- // Version=1 ... required
- buf.append ("; Version=1");
+ // Add version 1 specific information
+ if (version == 1) {
+ // Version=1 ... required
+ buf.append ("; Version=1");
- // Comment=comment
- if ( comment!=null ) {
- buf.append ("; Comment=");
- maybeQuote (version, buf, comment);
- }
- }
-
- // add domain information, if present
+ // Comment=comment
+ if ( comment!=null ) {
+ buf.append ("; Comment=");
+ maybeQuote2(version, buf, comment);
+ }
+ }
+
+ // Add domain information, if present
+ if (domain!=null) {
+ buf.append("; Domain=");
+ maybeQuote2(version, buf, domain);
+ }
- if (domain!=null) {
- buf.append("; Domain=");
- maybeQuote (version, buf, domain);
- }
-
- // Max-Age=secs/Discard ... or use old "Expires" format
- if (maxAge >= 0) {
- if (version == 0) {
- // XXX XXX XXX We need to send both, for
- // interoperatibility (long word )
- buf.append ("; Expires=");
- // Wdy, DD-Mon-YY HH:MM:SS GMT ( Expires netscape format )
- // To expire we need to set the time back in future
- // ( pfrieden(a)dChain.com )
+ // Max-Age=secs ... or use old "Expires" format
+ // TODO RFC2965 Discard
+ if (maxAge >= 0) {
+ if (version == 0) {
+ // Wdy, DD-Mon-YY HH:MM:SS GMT ( Expires Netscape format )
+ buf.append ("; Expires=");
+ // To expire immediately we need to set the time in past
if (maxAge == 0)
- buf.append( ancientDate );
- else
+ buf.append( ancientDate );
+ else
DateTool.formatOldCookie
(new Date( System.currentTimeMillis() +
maxAge *1000L), buf,
new FieldPosition(0));
- } else {
- buf.append ("; Max-Age=");
- buf.append (maxAge);
- }
- }
+ } else {
+ buf.append ("; Max-Age=");
+ buf.append (maxAge);
+ }
+ }
- // Path=path
- if (path!=null) {
- buf.append ("; Path=");
- maybeQuote (version, buf, path);
- }
+ // Path=path
+ if (path!=null) {
+ buf.append ("; Path=");
+ maybeQuote2(version, buf, path);
+ }
- // Secure
- if (isSecure) {
- buf.append ("; Secure");
- }
-
-
+ // Secure
+ if (isSecure) {
+ buf.append ("; Secure");
+ }
+
+
}
+ /**
+ * @deprecated - Not used
+ */
public static void maybeQuote (int version, StringBuffer buf,
String value) {
// special case - a \n or \r shouldn't happen in any case
@@ -297,10 +310,17 @@
buf.append('"');
}
}
+
+ /**
+ * Quotes values using rules that vary depending on Cookie version.
+ * @param version
+ * @param buf
+ * @param value
+ */
public static void maybeQuote2 (int version, StringBuffer buf,
String value) {
// special case - a \n or \r shouldn't happen in any case
- if (isToken2(value)) {
+ if (version == 0 && isToken(value) || version == 1 && isToken2(value)) {
buf.append(value);
} else {
buf.append('"');
@@ -309,14 +329,7 @@
}
}
- // log
- static final int dbg=1;
- public static void log(String s ) {
- if (log.isDebugEnabled())
- log.debug("ServerCookie: " + s);
- }
-
/**
* Escapes any double quotes in the given string.
*
@@ -331,18 +344,41 @@
}
StringBuffer b = new StringBuffer();
- char p = s.charAt(0);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
- if (c == '"' && p != '\\')
+ if (c == '"')
b.append('\\').append('"');
else
b.append(c);
- p = c;
}
return b.toString();
}
+ /**
+ * Unescapes any double quotes in the given cookie value.
+ *
+ * @param bc The cookie value to modify
+ */
+ public static void unescapeDoubleQuotes(ByteChunk bc) {
+
+ if (bc == null || bc.getLength() == 0 || bc.indexOf('"', 0) == -1) {
+ return;
+ }
+
+ int src = bc.getStart();
+ int end = bc.getEnd();
+ int dest = src;
+ byte[] buffer = bc.getBuffer();
+
+ while (src < end) {
+ if (buffer[src] == '\\' && src < end && buffer[src+1] == '"') {
+ src++;
+ }
+ buffer[dest] = buffer[src];
+ dest ++;
+ src ++;
+ }
+ bc.setEnd(dest);
+ }
}
-
Modified: trunk/webapps/docs/changelog.xml
===================================================================
--- trunk/webapps/docs/changelog.xml 2007-10-20 00:50:54 UTC (rev 316)
+++ trunk/webapps/docs/changelog.xml 2007-10-20 23:36:09 UTC (rev 317)
@@ -163,6 +163,9 @@
Cookie parser refactoring, submitted by John Kew. (remm)
</update>
<fix>
+ Make cookie escaping / unescaping consistent. (markt)
+ </fix>
+ <fix>
<bug>43479</bug>: Memory leak cleaning up sendfile connections, submitted by Chris Elving. (remm)
</fix>
<fix>
17 years, 2 months
JBossWeb SVN: r316 - in trunk: java/org/apache/catalina/servlets and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-19 20:50:54 -0400 (Fri, 19 Oct 2007)
New Revision: 316
Modified:
trunk/bin/setclasspath.sh
trunk/java/org/apache/catalina/servlets/LocalStrings.properties
trunk/java/org/apache/catalina/servlets/WebdavServlet.java
Log:
- Add an entity resolver which forbids entities, just in case, until more investigations.
Modified: trunk/bin/setclasspath.sh
===================================================================
--- trunk/bin/setclasspath.sh 2007-10-18 21:01:52 UTC (rev 315)
+++ trunk/bin/setclasspath.sh 2007-10-20 00:50:54 UTC (rev 316)
@@ -14,12 +14,12 @@
if $darwin && [ -d "/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home" ]; then
export JAVA_HOME="/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home"
else
- if [ ! -x /usr/bin/java ]; then
+ if [ -x /usr/bin/java ]; then
+ JRE_HOME=/usr
+ else
echo "Neither the JAVA_HOME nor the JRE_HOME environment variable is defined"
echo "At least one of these environment variable is needed to run this program"
exit 1
- else
- JRE_HOME=/usr
fi
fi
fi
Modified: trunk/java/org/apache/catalina/servlets/LocalStrings.properties
===================================================================
--- trunk/java/org/apache/catalina/servlets/LocalStrings.properties 2007-10-18 21:01:52 UTC (rev 315)
+++ trunk/java/org/apache/catalina/servlets/LocalStrings.properties 2007-10-20 00:50:54 UTC (rev 316)
@@ -10,6 +10,7 @@
invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.noentities=Entities are not allowed
directory.filename=Filename
directory.lastModified=Last Modified
directory.parent=Up To {0}
Modified: trunk/java/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- trunk/java/org/apache/catalina/servlets/WebdavServlet.java 2007-10-18 21:01:52 UTC (rev 315)
+++ trunk/java/org/apache/catalina/servlets/WebdavServlet.java 2007-10-20 00:50:54 UTC (rev 316)
@@ -57,6 +57,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
@@ -245,6 +246,13 @@
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver
+ (new EntityResolver() {
+ public InputSource resolveEntity(String publicId, String systemId)
+ throws SAXException, IOException {
+ throw new IllegalStateException(sm.getString("webdavservlet.noentities"));
+ }
+ });
} catch(ParserConfigurationException e) {
throw new ServletException
(sm.getString("webdavservlet.jaxpfailed"));
17 years, 2 months
JBossWeb SVN: r315 - trunk/webapps/docs.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-18 17:01:52 -0400 (Thu, 18 Oct 2007)
New Revision: 315
Modified:
trunk/webapps/docs/changelog.xml
Log:
- Changelog update.
Modified: trunk/webapps/docs/changelog.xml
===================================================================
--- trunk/webapps/docs/changelog.xml 2007-10-18 20:51:53 UTC (rev 314)
+++ trunk/webapps/docs/changelog.xml 2007-10-18 21:01:52 UTC (rev 315)
@@ -56,6 +56,9 @@
<fix>
Update session cookie handling (path always set to /) and id generation (check host's webapps for a matching id). (remm)
</fix>
+ <fix>
+ More extensible SSO. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
@@ -72,6 +75,13 @@
</section>
<section name="Tomcat 6.0.15 (remm)">
+ <subsection name="General">
+ <changelog>
+ <fix>
+ Use Eclipse JDT 3.3.1. (pero)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Catalina">
<changelog>
<fix>
@@ -129,6 +139,13 @@
Patch provided by Keiichi Fujino. (pero)
</fix>
<fix>
+ <bug>41797</bug>: CNFE/NPE thrown from function mapper when externalizing
+ Patch by Tuomas Kiviaho- tuomas.kiviahos at ikis fi (funkman)
+ </fix>
+ <fix>
+ Call stopAwait in StandardServer.stop if port == -1. (pero)
+ </fix>
+ <fix>
<bug>43487</bug>: Fix request processing stats. (fhanik)
</fix>
</changelog>
@@ -159,9 +176,6 @@
<bug>37326</bug>: No error reported when an included page does not
exist. (markt)
</fix>
- <fix>
- <bug>41797</bug>: CNFE/NPE thrown from function mapper when externalizing, submitted by Tuomas Kiviaho. (funkman)
- </fix>
</changelog>
</subsection>
<subsection name="Webapps">
@@ -170,9 +184,16 @@
Fix WebDAV Servlet so it works correctly with MS clients. (markt)
</fix>
<fix>
+ Fix CVE-2007-5461, an important information disclosure vulnerability in
+ the WebDAV Servlet. (markt)
+ </fix>
+ <fix>
<bug>42979</bug>: Update sample.war to include recent security fixes
in the source code. (markt)
</fix>
+ <fix>
+ Minor connector doc fix. (jfclere)
+ </fix>
</changelog>
</subsection>
17 years, 2 months
JBossWeb SVN: r314 - trunk/java/org/apache/catalina/authenticator.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-18 16:51:53 -0400 (Thu, 18 Oct 2007)
New Revision: 314
Modified:
trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
Log:
- For future releases, better extensibility and usage of SSO.
Modified: trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
===================================================================
--- trunk/java/org/apache/catalina/authenticator/SingleSignOn.java 2007-10-18 16:45:38 UTC (rev 313)
+++ trunk/java/org/apache/catalina/authenticator/SingleSignOn.java 2007-10-18 20:51:53 UTC (rev 314)
@@ -95,7 +95,7 @@
* reauthenticate each request, or if it itself can bind a UserPrincipal
* and AuthType object to the request.
*/
- private boolean requireReauthentication = false;
+ protected boolean requireReauthentication = false;
/**
* The cache of single sign on identifiers, keyed by the Session that is
@@ -119,7 +119,7 @@
/**
* Optional SSO cookie domain.
*/
- private String cookieDomain;
+ protected String cookieDomain;
// ------------------------------------------------------------- Properties
@@ -308,8 +308,6 @@
// Look up the single session id associated with this session (if any)
Session session = event.getSession();
- if (containerLog.isDebugEnabled())
- containerLog.debug("Process session destroyed on " + session);
String ssoId = null;
synchronized (reverse) {
@@ -365,19 +363,12 @@
request.removeNote(Constants.REQ_SSOID_NOTE);
// Has a valid user already been authenticated?
- if (containerLog.isDebugEnabled())
- containerLog.debug("Process request for '" + request.getRequestURI() + "'");
if (request.getUserPrincipal() != null) {
- if (containerLog.isDebugEnabled())
- containerLog.debug(" Principal '" + request.getUserPrincipal().getName() +
- "' has already been authenticated");
getNext().invoke(request, response);
return;
}
// Check for the single sign on cookie
- if (containerLog.isDebugEnabled())
- containerLog.debug(" Checking for SSO cookie");
Cookie cookie = null;
Cookie cookies[] = request.getCookies();
if (cookies == null)
@@ -389,21 +380,13 @@
}
}
if (cookie == null) {
- if (containerLog.isDebugEnabled())
- containerLog.debug(" SSO cookie is not present");
getNext().invoke(request, response);
return;
}
// Look up the cached Principal associated with this cookie value
- if (containerLog.isDebugEnabled())
- containerLog.debug(" Checking for cached principal for " + cookie.getValue());
SingleSignOnEntry entry = lookup(cookie.getValue());
if (entry != null) {
- if (containerLog.isDebugEnabled())
- containerLog.debug(" Found cached principal '" +
- (entry.getPrincipal() != null ? entry.getPrincipal().getName() : "") + "' with auth type '" +
- entry.getAuthType() + "'");
request.setNote(Constants.REQ_SSOID_NOTE, cookie.getValue());
// Only set security elements if reauthentication is not required
if (!getRequireReauthentication()) {
@@ -411,8 +394,6 @@
request.setUserPrincipal(entry.getPrincipal());
}
} else {
- if (containerLog.isDebugEnabled())
- containerLog.debug(" No cached principal found, erasing SSO cookie");
cookie.setMaxAge(0);
response.addCookie(cookie);
}
@@ -452,11 +433,8 @@
* @param ssoId Single sign on identifier
* @param session Session to be associated
*/
- protected void associate(String ssoId, Session session) {
+ public void associate(String ssoId, Session session) {
- if (containerLog.isDebugEnabled())
- containerLog.debug("Associate sso id " + ssoId + " with session " + session);
-
SingleSignOnEntry sso = lookup(ssoId);
if (sso != null)
sso.addSession(this, session);
@@ -502,11 +480,8 @@
*
* @param ssoId Single sign on identifier to deregister
*/
- protected void deregister(String ssoId) {
+ public void deregister(String ssoId) {
- if (containerLog.isDebugEnabled())
- containerLog.debug("Deregistering sso id '" + ssoId + "'");
-
// Look up and remove the corresponding SingleSignOnEntry
SingleSignOnEntry sso = null;
synchronized (cache) {
@@ -519,8 +494,6 @@
// Expire any associated sessions
Session sessions[] = sso.findSessions();
for (int i = 0; i < sessions.length; i++) {
- if (containerLog.isTraceEnabled())
- containerLog.trace(" Invalidating session " + sessions[i]);
// Remove from reverse cache first to avoid recursion
synchronized (reverse) {
reverse.remove(sessions[i]);
@@ -557,7 +530,7 @@
* @return <code>true</code> if reauthentication was successful,
* <code>false</code> otherwise.
*/
- protected boolean reauthenticate(String ssoId, Realm realm,
+ public boolean reauthenticate(String ssoId, Realm realm,
Request request) {
if (ssoId == null || realm == null)
@@ -596,13 +569,9 @@
* @param username Username used to authenticate this user
* @param password Password used to authenticate this user
*/
- protected void register(String ssoId, Principal principal, String authType,
+ public void register(String ssoId, Principal principal, String authType,
String username, String password) {
- if (containerLog.isDebugEnabled())
- containerLog.debug("Registering sso id '" + ssoId + "' for user '" +
- (principal != null ? principal.getName() : "") + "' with auth type '" + authType + "'");
-
synchronized (cache) {
cache.put(ssoId, new SingleSignOnEntry(principal, authType,
username, password));
@@ -641,14 +610,11 @@
SingleSignOnEntry sso = lookup(ssoId);
if (sso != null && !sso.getCanReauthenticate()) {
- if (containerLog.isDebugEnabled())
- containerLog.debug("Update sso id " + ssoId + " to auth type " + authType);
-
synchronized(sso) {
sso.updateCredentials(principal, authType, username, password);
}
-
}
+
}
@@ -676,10 +642,6 @@
*/
protected void removeSession(String ssoId, Session session) {
- if (containerLog.isDebugEnabled())
- containerLog.debug("Removing session " + session.toString() + " from sso id " +
- ssoId );
-
// Get a reference to the SingleSignOn
SingleSignOnEntry entry = lookup(ssoId);
if (entry == null)
17 years, 2 months
JBossWeb SVN: r313 - trunk/bin.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-18 12:45:38 -0400 (Thu, 18 Oct 2007)
New Revision: 313
Modified:
trunk/bin/setclasspath.sh
Log:
- Use /usr as the default JRE path if it's empty and /usr/bin/java exists.
- Interim patch until JF comes up with something better.
Modified: trunk/bin/setclasspath.sh
===================================================================
--- trunk/bin/setclasspath.sh 2007-10-16 15:22:11 UTC (rev 312)
+++ trunk/bin/setclasspath.sh 2007-10-18 16:45:38 UTC (rev 313)
@@ -14,9 +14,13 @@
if $darwin && [ -d "/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home" ]; then
export JAVA_HOME="/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home"
else
- echo "Neither the JAVA_HOME nor the JRE_HOME environment variable is defined"
- echo "At least one of these environment variable is needed to run this program"
- exit 1
+ if [ ! -x /usr/bin/java ]; then
+ echo "Neither the JAVA_HOME nor the JRE_HOME environment variable is defined"
+ echo "At least one of these environment variable is needed to run this program"
+ exit 1
+ else
+ JRE_HOME=/usr
+ fi
fi
fi
if [ -z "$JAVA_HOME" -a "$1" = "debug" ]; then
17 years, 2 months
JBossWeb SVN: r312 - sandbox/webapps/src.
by jbossweb-commits@lists.jboss.org
Author: jfrederic.clere(a)jboss.com
Date: 2007-10-16 11:22:11 -0400 (Tue, 16 Oct 2007)
New Revision: 312
Modified:
sandbox/webapps/src/BigField.java
Log:
Arrange the messages. And print the parameters.
Modified: sandbox/webapps/src/BigField.java
===================================================================
--- sandbox/webapps/src/BigField.java 2007-10-16 14:24:09 UTC (rev 311)
+++ sandbox/webapps/src/BigField.java 2007-10-16 15:22:11 UTC (rev 312)
@@ -43,7 +43,6 @@
{
response.setContentType("text/html");
- InputStream in = request.getInputStream();
PrintWriter out = response.getWriter();
out.println("<html>");
out.println("<body>");
@@ -65,14 +64,17 @@
out.println("<h3>" + title + "</h3>");
String firstName = request.getParameter("firstname");
String lastName = request.getParameter("lastname");
- out.println("requestparams.params-in-req" + "<br>");
if (firstName != null || lastName != null) {
out.println("requestparams.firstname");
out.println(" = " + firstName + "<br>");
out.println("requestparams.lastname");
out.println(" = " + lastName);
} else {
- out.println("requestparams.no-params");
+ Enumeration e = request.getParameterNames();
+ out.println("requestparams.unex-params " + e);
+ while (e.hasMoreElements()) {
+ out.println("requestparams.unex-params name: " + e.nextElement());
+ }
}
out.println("<P>");
@@ -91,6 +93,7 @@
*/
/* read */
// Read the inputstream.
+ InputStream in = request.getInputStream();
if (in!=null) {
byte[] buff = new byte[128];
int i=0;
17 years, 2 months
JBossWeb SVN: r311 - in trunk: lib and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-16 10:24:09 -0400 (Tue, 16 Oct 2007)
New Revision: 311
Modified:
trunk/build.properties.default
trunk/lib/jasper-jdt.jar
Log:
- Update to JDT 3.3.
Modified: trunk/build.properties.default
===================================================================
--- trunk/build.properties.default 2007-10-15 06:49:09 UTC (rev 310)
+++ trunk/build.properties.default 2007-10-16 14:24:09 UTC (rev 311)
@@ -40,8 +40,8 @@
# ----- Eclipse JDT, version 3.2 or later -----
jdt.home=${base.path}/eclipse/plugins
jdt.lib=${jdt.home}
-jdt.jar=${jdt.lib}/org.eclipse.jdt.core_3.2.3.v_686_R32x.jar
-jdt.loc=http://sunsite.informatik.rwth-aachen.de/eclipse/downloads/drops/R-3.2.2-200702121330/eclipse-JDT-3.2.2.zip
+jdt.jar=${jdt.lib}/org.eclipse.jdt.core_3.3.1.v_780_R33x.jar
+jdt.loc=http://sunsite.informatik.rwth-aachen.de/eclipse/downloads/drops/R-3.3.1-200709211145/eclipse-JDT-3.3.1.zip
# ----- Tomcat native library -----
tomcat-native.home=${base.path}/tomcat-native-1.1.10
Modified: trunk/lib/jasper-jdt.jar
===================================================================
(Binary files differ)
17 years, 2 months
JBossWeb SVN: r310 - branches/2.0.x/src/share/classes/org/apache/catalina/servlets.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2007-10-15 02:49:09 -0400 (Mon, 15 Oct 2007)
New Revision: 310
Modified:
branches/2.0.x/src/share/classes/org/apache/catalina/servlets/WebdavServlet.java
Log:
- Disable entity expansion.
Modified: branches/2.0.x/src/share/classes/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- branches/2.0.x/src/share/classes/org/apache/catalina/servlets/WebdavServlet.java 2007-10-15 06:35:37 UTC (rev 309)
+++ branches/2.0.x/src/share/classes/org/apache/catalina/servlets/WebdavServlet.java 2007-10-15 06:49:09 UTC (rev 310)
@@ -242,6 +242,7 @@
try {
documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
+ documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
} catch(ParserConfigurationException e) {
throw new ServletException
17 years, 2 months