JBossWeb SVN: r1498 - in trunk/java/org/apache/coyote: http11 and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2010-06-29 06:33:01 -0400 (Tue, 29 Jun 2010)
New Revision: 1498
Modified:
trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
trunk/java/org/apache/coyote/ajp/AjpProcessor.java
trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java
Log:
- Filter out invalid headers (after some hesitation ...).
Modified: trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
===================================================================
--- trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2010-06-29 10:31:15 UTC (rev 1497)
+++ trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2010-06-29 10:33:01 UTC (rev 1498)
@@ -1044,17 +1044,19 @@
// Other headers
int numHeaders = headers.size();
responseHeaderMessage.appendInt(numHeaders);
- for (int i = 0; i < numHeaders; i++) {
+ for (int i = 0; i < numHeaders; i++) {
MessageBytes hN = headers.getName(i);
- int hC = Constants.getResponseAjpIndex(hN.toString());
- if (hC > 0) {
- responseHeaderMessage.appendInt(hC);
+ MessageBytes hV=headers.getValue(i);
+ if (hN.getLength() > 0 && !hV.isNull()) {
+ int hC = Constants.getResponseAjpIndex(hN.toString());
+ if (hC > 0) {
+ responseHeaderMessage.appendInt(hC);
+ }
+ else {
+ responseHeaderMessage.appendBytes(hN);
+ }
+ responseHeaderMessage.appendBytes(hV);
}
- else {
- responseHeaderMessage.appendBytes(hN);
- }
- MessageBytes hV=headers.getValue(i);
- responseHeaderMessage.appendBytes(hV);
}
// Write to buffer
Modified: trunk/java/org/apache/coyote/ajp/AjpProcessor.java
===================================================================
--- trunk/java/org/apache/coyote/ajp/AjpProcessor.java 2010-06-29 10:31:15 UTC (rev 1497)
+++ trunk/java/org/apache/coyote/ajp/AjpProcessor.java 2010-06-29 10:33:01 UTC (rev 1498)
@@ -1060,15 +1060,17 @@
responseHeaderMessage.appendInt(numHeaders);
for (int i = 0; i < numHeaders; i++) {
MessageBytes hN = headers.getName(i);
- int hC = Constants.getResponseAjpIndex(hN.toString());
- if (hC > 0) {
- responseHeaderMessage.appendInt(hC);
+ MessageBytes hV=headers.getValue(i);
+ if (hN.getLength() > 0 && !hV.isNull()) {
+ int hC = Constants.getResponseAjpIndex(hN.toString());
+ if (hC > 0) {
+ responseHeaderMessage.appendInt(hC);
+ }
+ else {
+ responseHeaderMessage.appendBytes(hN);
+ }
+ responseHeaderMessage.appendBytes(hV);
}
- else {
- responseHeaderMessage.appendBytes(hN);
- }
- MessageBytes hV=headers.getValue(i);
- responseHeaderMessage.appendBytes(hV);
}
// Write to buffer
Modified: trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
===================================================================
--- trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java 2010-06-29 10:31:15 UTC (rev 1497)
+++ trunk/java/org/apache/coyote/http11/InternalAprOutputBuffer.java 2010-06-29 10:33:01 UTC (rev 1498)
@@ -455,12 +455,14 @@
*/
public void sendHeader(MessageBytes name, MessageBytes value) {
- write(name);
- buf[pos++] = Constants.COLON;
- buf[pos++] = Constants.SP;
- write(value);
- buf[pos++] = Constants.CR;
- buf[pos++] = Constants.LF;
+ if (name.getLength() > 0 && !value.isNull()) {
+ write(name);
+ buf[pos++] = Constants.COLON;
+ buf[pos++] = Constants.SP;
+ write(value);
+ buf[pos++] = Constants.CR;
+ buf[pos++] = Constants.LF;
+ }
}
Modified: trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java
===================================================================
--- trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java 2010-06-29 10:31:15 UTC (rev 1497)
+++ trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java 2010-06-29 10:33:01 UTC (rev 1498)
@@ -472,12 +472,14 @@
*/
public void sendHeader(MessageBytes name, MessageBytes value) {
- write(name);
- buf[pos++] = Constants.COLON;
- buf[pos++] = Constants.SP;
- write(value);
- buf[pos++] = Constants.CR;
- buf[pos++] = Constants.LF;
+ if (name.getLength() > 0 && !value.isNull()) {
+ write(name);
+ buf[pos++] = Constants.COLON;
+ buf[pos++] = Constants.SP;
+ write(value);
+ buf[pos++] = Constants.CR;
+ buf[pos++] = Constants.LF;
+ }
}
14 years, 6 months
JBossWeb SVN: r1497 - in branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11: filters and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2010-06-29 06:31:15 -0400 (Tue, 29 Jun 2010)
New Revision: 1497
Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11Processor.java
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java
Log:
- Fix possible NPE.
- Don't recycle buffered filter to save memory (only used in complex SSL operations).
Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java 2010-06-29 10:30:56 UTC (rev 1496)
+++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11AprProcessor.java 2010-06-29 10:31:15 UTC (rev 1497)
@@ -1155,9 +1155,9 @@
if (ssl && (socket != 0)) {
// Consume and buffer the request body, so that it does not
// interfere with the client's handshake messages
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
// Renegociate certificates
SSLSocket.renegotiate(socket);
@@ -1699,9 +1699,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java 2010-06-29 10:30:56 UTC (rev 1496)
+++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11NioProcessor.java 2010-06-29 10:31:15 UTC (rev 1497)
@@ -1195,11 +1195,9 @@
* Consume and buffer the request body, so that it does not
* interfere with the client's handshake messages
*/
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
Object sslO = sslSupport.getPeerCertificateChain(true);
if( sslO != null) {
@@ -1734,9 +1732,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11Processor.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11Processor.java 2010-06-29 10:30:56 UTC (rev 1496)
+++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/Http11Processor.java 2010-06-29 10:31:15 UTC (rev 1497)
@@ -1089,11 +1089,9 @@
* Consume and buffer the request body, so that it does not
* interfere with the client's handshake messages
*/
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER])
- .setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter
- (inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
try {
Object sslO = sslSupport.getPeerCertificateChain(true);
if( sslO != null) {
@@ -1620,9 +1618,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-06-29 10:30:56 UTC (rev 1496)
+++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-06-29 10:31:15 UTC (rev 1497)
@@ -102,10 +102,13 @@
}
public void recycle() {
- if (buffered.getBuffer().length > 65536) {
- buffered = null;
- } else {
- buffered.recycle();
+ if (buffered != null) {
+ if (buffered.getBuffer() != null
+ && buffered.getBuffer().length > 65536) {
+ buffered = null;
+ } else {
+ buffered.recycle();
+ }
}
tempRead.recycle();
hasRead = false;
14 years, 6 months
JBossWeb SVN: r1496 - in branches/2.1.x/java/org/apache/coyote/http11: filters and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2010-06-29 06:30:56 -0400 (Tue, 29 Jun 2010)
New Revision: 1496
Modified:
branches/2.1.x/java/org/apache/coyote/http11/Http11AprProcessor.java
branches/2.1.x/java/org/apache/coyote/http11/Http11Processor.java
branches/2.1.x/java/org/apache/coyote/http11/filters/BufferedInputFilter.java
Log:
- Fix possible NPE.
- Don't recycle buffered filter to save memory (only used in complex SSL operations).
Modified: branches/2.1.x/java/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
--- branches/2.1.x/java/org/apache/coyote/http11/Http11AprProcessor.java 2010-06-29 10:30:20 UTC (rev 1495)
+++ branches/2.1.x/java/org/apache/coyote/http11/Http11AprProcessor.java 2010-06-29 10:30:56 UTC (rev 1496)
@@ -1214,9 +1214,9 @@
// Consume and buffer the request body, so that it does not
// interfere with the client's handshake messages
if (maxSavePostSize != 0) {
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
}
try {
// Configure connection to require a certificate
@@ -1796,9 +1796,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/2.1.x/java/org/apache/coyote/http11/Http11Processor.java
===================================================================
--- branches/2.1.x/java/org/apache/coyote/http11/Http11Processor.java 2010-06-29 10:30:20 UTC (rev 1495)
+++ branches/2.1.x/java/org/apache/coyote/http11/Http11Processor.java 2010-06-29 10:30:56 UTC (rev 1496)
@@ -1067,9 +1067,9 @@
// Consume and buffer the request body, so that it does not
// interfere with the client's handshake messages
if (maxSavePostSize != 0) {
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
}
try {
Object sslO = sslSupport.getPeerCertificateChain(true);
@@ -1585,9 +1585,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: branches/2.1.x/java/org/apache/coyote/http11/filters/BufferedInputFilter.java
===================================================================
--- branches/2.1.x/java/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-06-29 10:30:20 UTC (rev 1495)
+++ branches/2.1.x/java/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-06-29 10:30:56 UTC (rev 1496)
@@ -102,10 +102,13 @@
}
public void recycle() {
- if (buffered.getBuffer().length > 65536) {
- buffered = null;
- } else {
- buffered.recycle();
+ if (buffered != null) {
+ if (buffered.getBuffer() != null
+ && buffered.getBuffer().length > 65536) {
+ buffered = null;
+ } else {
+ buffered.recycle();
+ }
}
tempRead.recycle();
hasRead = false;
14 years, 6 months
JBossWeb SVN: r1495 - in trunk/java/org/apache/coyote/http11: filters and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2010-06-29 06:30:20 -0400 (Tue, 29 Jun 2010)
New Revision: 1495
Modified:
trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
trunk/java/org/apache/coyote/http11/Http11Processor.java
trunk/java/org/apache/coyote/http11/filters/BufferedInputFilter.java
Log:
- Fix possible NPE.
- Don't recycle buffered filter to save memory (only used in complex SSL operations).
Modified: trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
--- trunk/java/org/apache/coyote/http11/Http11AprProcessor.java 2010-06-28 09:12:39 UTC (rev 1494)
+++ trunk/java/org/apache/coyote/http11/Http11AprProcessor.java 2010-06-29 10:30:20 UTC (rev 1495)
@@ -1202,9 +1202,9 @@
// Consume and buffer the request body, so that it does not
// interfere with the client's handshake messages
if (maxSavePostSize != 0) {
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
}
try {
// Configure connection to require a certificate
@@ -1786,9 +1786,6 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
Modified: trunk/java/org/apache/coyote/http11/Http11Processor.java
===================================================================
--- trunk/java/org/apache/coyote/http11/Http11Processor.java 2010-06-28 09:12:39 UTC (rev 1494)
+++ trunk/java/org/apache/coyote/http11/Http11Processor.java 2010-06-29 10:30:20 UTC (rev 1495)
@@ -1136,9 +1136,9 @@
// Consume and buffer the request body, so that it does not
// interfere with the client's handshake messages
if (maxSavePostSize != 0) {
- InputFilter[] inputFilters = inputBuffer.getFilters();
- ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
- inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
+ BufferedInputFilter buffredInputFilter = new BufferedInputFilter();
+ buffredInputFilter.setLimit(maxSavePostSize);
+ inputBuffer.addActiveFilter(buffredInputFilter);
}
try {
Object sslO = sslSupport.getPeerCertificateChain(true);
@@ -1669,13 +1669,10 @@
inputBuffer.addFilter(new VoidInputFilter());
outputBuffer.addFilter(new VoidOutputFilter());
- // Create and add buffered input filter
- inputBuffer.addFilter(new BufferedInputFilter());
-
// Create and add the chunked filters.
//inputBuffer.addFilter(new GzipInputFilter());
outputBuffer.addFilter(new GzipOutputFilter());
-
+
}
Modified: trunk/java/org/apache/coyote/http11/filters/BufferedInputFilter.java
===================================================================
--- trunk/java/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-06-28 09:12:39 UTC (rev 1494)
+++ trunk/java/org/apache/coyote/http11/filters/BufferedInputFilter.java 2010-06-29 10:30:20 UTC (rev 1495)
@@ -102,10 +102,13 @@
}
public void recycle() {
- if (buffered.getBuffer().length > 65536) {
- buffered = null;
- } else {
- buffered.recycle();
+ if (buffered != null) {
+ if (buffered.getBuffer() != null
+ && buffered.getBuffer().length > 65536) {
+ buffered = null;
+ } else {
+ buffered.recycle();
+ }
}
tempRead.recycle();
hasRead = false;
14 years, 6 months
JBossWeb SVN: r1494 - trunk/java/org/apache/catalina/core.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2010-06-28 05:12:39 -0400 (Mon, 28 Jun 2010)
New Revision: 1494
Modified:
trunk/java/org/apache/catalina/core/StandardWrapperValve.java
Log:
- If timeout does nothing, set a 500 status. (read on the Tomcat list)
Modified: trunk/java/org/apache/catalina/core/StandardWrapperValve.java
===================================================================
--- trunk/java/org/apache/catalina/core/StandardWrapperValve.java 2010-06-24 10:20:27 UTC (rev 1493)
+++ trunk/java/org/apache/catalina/core/StandardWrapperValve.java 2010-06-28 09:12:39 UTC (rev 1494)
@@ -598,6 +598,9 @@
exception(request, response, e);
}
}
+ if (timeout && request.isEventMode() && asyncContext.getPath() == null) {
+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ }
} else if (asyncContext.getRunnable() != null) {
// Execute the runnable
try {
14 years, 6 months
JBossWeb SVN: r1493 - in trunk: webapps/docs and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: remy.maucherat(a)jboss.com
Date: 2010-06-24 06:20:27 -0400 (Thu, 24 Jun 2010)
New Revision: 1493
Modified:
trunk/java/org/apache/catalina/filters/Constants.java
trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
trunk/webapps/docs/changelog.xml
Log:
- Port CSRF filter updates.
Modified: trunk/java/org/apache/catalina/filters/Constants.java
===================================================================
--- trunk/java/org/apache/catalina/filters/Constants.java 2010-06-24 03:15:20 UTC (rev 1492)
+++ trunk/java/org/apache/catalina/filters/Constants.java 2010-06-24 10:20:27 UTC (rev 1493)
@@ -36,4 +36,6 @@
public static final String CSRF_NONCE_REQUEST_PARAM =
"org.apache.catalina.filters.CSRF_NONCE";
+
+ public static final String METHOD_GET = "GET";
}
Modified: trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
===================================================================
--- trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2010-06-24 03:15:20 UTC (rev 1492)
+++ trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java 2010-06-24 10:20:27 UTC (rev 1493)
@@ -18,7 +18,11 @@
package org.apache.catalina.filters;
import java.io.IOException;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
+import java.util.Map;
import java.util.Random;
+import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
@@ -42,6 +46,27 @@
private final Random randomSource = new Random();
+ private final Set<String> entryPoints = new HashSet<String>();
+
+ private final int nonceCacheSize = 5;
+
+ /**
+ * Entry points are URLs that will not be tested for the presence of a valid
+ * nonce. They are used to provide a way to navigate back to a protected
+ * application after navigating away from it. Entry points will be limited
+ * to HTTP GET requests and should not trigger any security sensitive
+ * actions.
+ *
+ * @param entryPoints Comma separated list of URLs to be configured as
+ * entry points.
+ */
+ public void setEntryPoints(String entryPoints) {
+ String values[] = entryPoints.split(",");
+ for (String value : values) {
+ this.entryPoints.add(value.trim());
+ }
+ }
+
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
@@ -53,20 +78,43 @@
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
- String previousNonce =
- req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
- String expectedNonce = (String) req.getSession(true).getAttribute(
+ boolean skipNonceCheck = false;
+
+ if (Constants.METHOD_GET.equals(req.getMethod())) {
+ String path = req.getServletPath();
+ if (req.getPathInfo() != null) {
+ path = path + req.getPathInfo();
+ }
+
+ if (entryPoints.contains(path)) {
+ skipNonceCheck = true;
+ }
+ }
+
+ @SuppressWarnings("unchecked")
+ LruCache<String> nonceCache =
+ (LruCache<String>) req.getSession(true).getAttribute(
Constants.CSRF_NONCE_SESSION_ATTR_NAME);
- if (expectedNonce != null && !expectedNonce.equals(previousNonce)) {
- res.sendError(HttpServletResponse.SC_FORBIDDEN);
- return;
+ if (!skipNonceCheck) {
+ String previousNonce =
+ req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+
+ if (nonceCache != null && !nonceCache.contains(previousNonce)) {
+ res.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
}
+ if (nonceCache == null) {
+ nonceCache = new LruCache<String>(nonceCacheSize);
+ req.getSession().setAttribute(
+ Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache);
+ }
+
String newNonce = generateNonce();
- req.getSession(true).setAttribute(
- Constants.CSRF_NONCE_SESSION_ATTR_NAME, newNonce);
+ nonceCache.add(newNonce);
wResponse = new CsrfResponseWrapper(res, newNonce);
} else {
@@ -176,4 +224,32 @@
return (sb.toString());
}
}
+
+ private static class LruCache<T> {
+
+ // Although the internal implementation uses a Map, this cache
+ // implementation is only concerned with the keys.
+ private final Map<T,T> cache;
+
+ public LruCache(final int cacheSize) {
+ cache = new LinkedHashMap<T,T>() {
+ private static final long serialVersionUID = 1L;
+ @Override
+ protected boolean removeEldestEntry(Map.Entry<T,T> eldest) {
+ if (size() > cacheSize) {
+ return true;
+ }
+ return false;
+ }
+ };
+ }
+
+ public void add(T key) {
+ cache.put(key, null);
+ }
+
+ public boolean contains(T key) {
+ return cache.containsKey(key);
+ }
+ }
}
Modified: trunk/webapps/docs/changelog.xml
===================================================================
--- trunk/webapps/docs/changelog.xml 2010-06-24 03:15:20 UTC (rev 1492)
+++ trunk/webapps/docs/changelog.xml 2010-06-24 10:20:27 UTC (rev 1493)
@@ -22,6 +22,9 @@
<fix>
Fix NPE processing some POST. (markt)
</fix>
+ <fix>
+ Various CSRF filter updates. (markt)
+ </fix>
</changelog>
</subsection>
</section>
14 years, 6 months
JBossWeb SVN: r1492 - branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-06-23 23:15:20 -0400 (Wed, 23 Jun 2010)
New Revision: 1492
Modified:
branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector/LocalStrings.properties
branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector/Request.java
Log:
Fix retrieving request parameters on POST with transfer-encoding: chunked for [JBPAPP-4519].
Modified: branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector/LocalStrings.properties
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector/LocalStrings.properties 2010-06-24 02:51:20 UTC (rev 1491)
+++ branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector/LocalStrings.properties 2010-06-24 03:15:20 UTC (rev 1492)
@@ -48,6 +48,7 @@
coyoteRequest.attributeEvent=Exception thrown by attributes event listener
coyoteRequest.parseParameters=Exception thrown whilst processing POSTed parameters
coyoteRequest.postTooLarge=Parameters were not parsed because the size of the posted data was too big. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
+coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size of the posted data was too big. Because this request was a chunked request, it could not be processed further. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
requestFacade.nullRequest=Null request object
responseFacade.nullResponse=Null response object
Modified: branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector/Request.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector/Request.java 2010-06-24 02:51:20 UTC (rev 1491)
+++ branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/src/share/classes/org/apache/catalina/connector/Request.java 2010-06-24 03:15:20 UTC (rev 1492)
@@ -46,6 +46,7 @@
import javax.servlet.http.HttpSession;
import org.apache.tomcat.util.buf.B2CConverter;
+import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.buf.StringCache;
import org.apache.tomcat.util.http.Cookies;
@@ -2449,7 +2450,8 @@
int maxPostSize = connector.getMaxPostSize();
if ((maxPostSize > 0) && (len > maxPostSize)) {
if (context.getLogger().isDebugEnabled()) {
- context.getLogger().debug("Post too large");
+ context.getLogger().debug(
+ sm.getString("coyoteRequest.postTooLarge"));
}
return;
}
@@ -2474,6 +2476,20 @@
return;
}
parameters.processParameters(formData, 0, len);
+ } else if ("chunked".equalsIgnoreCase(
+ coyoteRequest.getHeader("transfer-encoding"))) {
+ byte[] formData = null;
+ try {
+ formData = readChunkedPostBody();
+ } catch (IOException e) {
+ // Client disconnect
+ if (context.getLogger().isDebugEnabled()) {
+ context.getLogger().debug(
+ sm.getString("coyoteRequest.parseParameters"), e);
+ }
+ return;
+ }
+ parameters.processParameters(formData, 0, formData.length);
}
}
@@ -2499,6 +2515,38 @@
/**
+ * Read chunked post body.
+ */
+ protected byte[] readChunkedPostBody() throws IOException {
+ ByteChunk body = new ByteChunk();
+
+ byte[] buffer = new byte[CACHED_POST_LEN];
+
+ int len = 0;
+ while (len > -1) {
+ len = getStream().read(buffer, 0, CACHED_POST_LEN);
+ if (connector.getMaxPostSize() > 0 &&
+ (body.getLength() + len) > connector.getMaxPostSize()) {
+ // Too much data
+ throw new IllegalArgumentException(
+ sm.getString("coyoteRequest.chunkedPostTooLarge"));
+ }
+ if (len > 0) {
+ body.append(buffer, 0, len);
+ }
+ }
+ if (body.getLength() < body.getBuffer().length) {
+ int length = body.getLength();
+ byte[] result = new byte[length];
+ System.arraycopy(body.getBuffer(), 0, result, 0, length);
+ return result;
+ } else {
+ return body.getBuffer();
+ }
+ }
+
+
+ /**
* Parse request locales.
*/
protected void parseLocales() {
14 years, 6 months
JBossWeb SVN: r1491 - branches.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-06-23 22:51:20 -0400 (Wed, 23 Jun 2010)
New Revision: 1491
Added:
branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519/
Log:
Create JBPAPP-4519 patch branch from JBOSSWEB_2_0_0_GA_CP12 tag
Copied: branches/JBOSSWEB_2_0_0_GA_CP12_JBPAPP-4519 (from rev 1490, tags/JBOSSWEB_2_0_0_GA_CP12)
14 years, 6 months
JBossWeb SVN: r1490 - branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-06-18 10:33:21 -0400 (Fri, 18 Jun 2010)
New Revision: 1490
Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/LocalStrings.properties
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/Request.java
Log:
Fix issue retrieving request parameters for POSTs with transfer-encoding: chunked for [JBPAPP-4485].
Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/LocalStrings.properties
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/LocalStrings.properties 2010-06-17 18:46:19 UTC (rev 1489)
+++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/LocalStrings.properties 2010-06-18 14:33:21 UTC (rev 1490)
@@ -48,6 +48,7 @@
coyoteRequest.attributeEvent=Exception thrown by attributes event listener
coyoteRequest.parseParameters=Exception thrown whilst processing POSTed parameters
coyoteRequest.postTooLarge=Parameters were not parsed because the size of the posted data was too big. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
+coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size of the posted data was too big. Because this request was a chunked request, it could not be processed further. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
requestFacade.nullRequest=Null request object
responseFacade.nullResponse=Null response object
Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/Request.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/Request.java 2010-06-17 18:46:19 UTC (rev 1489)
+++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/catalina/connector/Request.java 2010-06-18 14:33:21 UTC (rev 1490)
@@ -46,6 +46,7 @@
import javax.servlet.http.HttpSession;
import org.apache.tomcat.util.buf.B2CConverter;
+import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.buf.StringCache;
import org.apache.tomcat.util.http.Cookies;
@@ -2449,7 +2450,8 @@
int maxPostSize = connector.getMaxPostSize();
if ((maxPostSize > 0) && (len > maxPostSize)) {
if (context.getLogger().isDebugEnabled()) {
- context.getLogger().debug("Post too large");
+ context.getLogger().debug(
+ sm.getString("coyoteRequest.postTooLarge"));
}
return;
}
@@ -2474,6 +2476,20 @@
return;
}
parameters.processParameters(formData, 0, len);
+ } else if ("chunked".equalsIgnoreCase(
+ coyoteRequest.getHeader("transfer-encoding"))) {
+ byte[] formData = null;
+ try {
+ formData = readChunkedPostBody();
+ } catch (IOException e) {
+ // Client disconnect
+ if (context.getLogger().isDebugEnabled()) {
+ context.getLogger().debug(
+ sm.getString("coyoteRequest.parseParameters"), e);
+ }
+ return;
+ }
+ parameters.processParameters(formData, 0, formData.length);
}
}
@@ -2499,6 +2515,38 @@
/**
+ * Read chunked post body.
+ */
+ protected byte[] readChunkedPostBody() throws IOException {
+ ByteChunk body = new ByteChunk();
+
+ byte[] buffer = new byte[CACHED_POST_LEN];
+
+ int len = 0;
+ while (len > -1) {
+ len = getStream().read(buffer, 0, CACHED_POST_LEN);
+ if (connector.getMaxPostSize() > 0 &&
+ (body.getLength() + len) > connector.getMaxPostSize()) {
+ // Too much data
+ throw new IllegalArgumentException(
+ sm.getString("coyoteRequest.chunkedPostTooLarge"));
+ }
+ if (len > 0) {
+ body.append(buffer, 0, len);
+ }
+ }
+ if (body.getLength() < body.getBuffer().length) {
+ int length = body.getLength();
+ byte[] result = new byte[length];
+ System.arraycopy(body.getBuffer(), 0, result, 0, length);
+ return result;
+ } else {
+ return body.getBuffer();
+ }
+ }
+
+
+ /**
* Parse request locales.
*/
protected void parseLocales() {
14 years, 6 months
JBossWeb SVN: r1489 - branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse.
by jbossweb-commits@lists.jboss.org
Author: mmillson
Date: 2010-06-17 14:46:19 -0400 (Thu, 17 Jun 2010)
New Revision: 1489
Modified:
branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Log:
Add sslSessionCacheSize and sslSessionTimeout attributes to the HTTP Connector to control the ssl session maximum size and timeout for [JBPAPP-4498].
Modified: branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
===================================================================
--- branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2010-06-17 18:28:55 UTC (rev 1488)
+++ branches/JBOSSWEB_2_0_0_GA_CP/src/share/classes/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2010-06-17 18:46:19 UTC (rev 1489)
@@ -51,6 +51,7 @@
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -90,6 +91,9 @@
private static final String defaultKeystoreFile
= System.getProperty("user.home") + "/.keystore";
private static final String defaultKeyPass = "changeit";
+ private static final int defaultSessionCacheSize = 0;
+ private static final int defaultSessionTimeout = 86400;
+
static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(JSSESocketFactory.class);
@@ -406,6 +410,28 @@
getTrustManagers(keystoreType, trustAlgorithm),
new SecureRandom());
+ // Configure SSL session cache
+ int sessionCacheSize;
+ if (attributes.get("sessionCacheSize") != null) {
+ sessionCacheSize = Integer.parseInt(
+ (String)attributes.get("sessionCacheSize"));
+ } else {
+ sessionCacheSize = defaultSessionCacheSize;
+ }
+ int sessionCacheTimeout;
+ if (attributes.get("sessionCacheTimeout") != null) {
+ sessionCacheTimeout = Integer.parseInt(
+ (String)attributes.get("sessionCacheTimeout"));
+ } else {
+ sessionCacheTimeout = defaultSessionTimeout;
+ }
+ SSLSessionContext sessionContext =
+ context.getServerSessionContext();
+ if (sessionContext != null) {
+ sessionContext.setSessionCacheSize(sessionCacheSize);
+ sessionContext.setSessionTimeout(sessionCacheTimeout);
+ }
+
// create proxy
sslProxy = context.getServerSocketFactory();
14 years, 6 months