Author: remy.maucherat(a)jboss.com Date: 2009-01-15 10:49:36 -0500 (Thu, 15 Jan 2009) New Revision: 901 Modified: trunk/java/org/apache/catalina/connector/Request.java trunk/java/org/apache/catalina/core/ApplicationContext.java trunk/java/org/apache/catalina/core/ApplicationHttpRequest.java trunk/java/org/apache/catalina/servlets/WebdavServlet.java trunk/java/org/apache/catalina/ssi/SSIServletRequestUtil.java trunk/java/org/apache/catalina/util/RequestUtil.java trunk/java/org/apache/naming/resources/FileDirContext.java Log: - Refactor all String based normalization as one. Modified: trunk/java/org/apache/catalina/connector/Request.java =================================================================== --- trunk/java/org/apache/catalina/connector/Request.java 2009-01-13 14:52:23 UTC (rev 900) +++ trunk/java/org/apache/catalina/connector/Request.java 2009-01-15 15:49:36 UTC (rev 901) @@ -57,7 +57,6 @@ import org.apache.catalina.realm.GenericPrincipal; import org.apache.catalina.util.Enumerator; import org.apache.catalina.util.ParameterMap; -import org.apache.catalina.util.RequestUtil; import org.apache.catalina.util.StringManager; import org.apache.catalina.util.StringParser; import org.apache.coyote.ActionCode; @@ -1299,10 +1298,9 @@ int pos = requestPath.lastIndexOf('/'); String relative = null; if (pos >= 0) { - relative = RequestUtil.normalize - (requestPath.substring(0, pos + 1) + path); + relative = requestPath.substring(0, pos + 1) + path; } else { - relative = RequestUtil.normalize(requestPath + path); + relative = requestPath + path; } return (context.getServletContext().getRequestDispatcher(relative)); Modified: trunk/java/org/apache/catalina/core/ApplicationContext.java =================================================================== --- trunk/java/org/apache/catalina/core/ApplicationContext.java 2009-01-13 14:52:23 UTC (rev 900) +++ trunk/java/org/apache/catalina/core/ApplicationContext.java 2009-01-15 15:49:36 UTC (rev 901) @@ -45,6 +45,7 @@ import org.apache.catalina.Wrapper; import org.apache.catalina.deploy.ApplicationParameter; import org.apache.catalina.util.Enumerator; +import org.apache.catalina.util.RequestUtil; import org.apache.catalina.util.ResourceSet; import org.apache.catalina.util.ServerInfo; import org.apache.catalina.util.StringManager; @@ -378,7 +379,7 @@ path = path.substring(0, pos); } - path = normalize(path); + path = RequestUtil.normalize(path); if (path == null) return (null); @@ -461,7 +462,7 @@ throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path)); } - path = normalize(path); + path = RequestUtil.normalize(path); if (path == null) return (null); @@ -510,10 +511,13 @@ */ public InputStream getResourceAsStream(String path) { - path = normalize(path); if (path == null || (Globals.STRICT_SERVLET_COMPLIANCE && !path.startsWith("/"))) return (null); + path = RequestUtil.normalize(path); + if (path == null) + return (null); + DirContext resources = context.getResources(); if (resources != null) { try { @@ -546,7 +550,7 @@ (sm.getString("applicationContext.resourcePaths.iae", path)); } - path = normalize(path); + path = RequestUtil.normalize(path); if (path == null) return (null); @@ -853,45 +857,6 @@ /** - * Return a context-relative path, beginning with a "/", that represents - * the canonical version of the specified path after ".." and "." elements - * are resolved out. If the specified path attempts to go outside the - * boundaries of the current context (i.e. too many ".." path elements - * are present), return <code>null</code> instead. - * - * @param path Path to be normalized - */ - private String normalize(String path) { - - if (path == null) { - return null; - } - - String normalized = path; - - // Normalize the slashes - if (normalized.indexOf('\\') >= 0) - normalized = normalized.replace('\\', '/'); - - // Resolve occurrences of "/../" in the normalized path - while (true) { - int index = normalized.indexOf("/../"); - if (index < 0) - break; - if (index == 0) - return (null); // Trying to go outside our context - int index2 = normalized.lastIndexOf('/', index - 1); - normalized = normalized.substring(0, index2) + - normalized.substring(index + 3); - } - - // Return the normalized path that we have completed - return (normalized); - - } - - - /** * Merge the context initialization parameters specified in the application * deployment descriptor with the application parameters described in the * server configuration, respecting the <code>override</code> property of Modified: trunk/java/org/apache/catalina/core/ApplicationHttpRequest.java =================================================================== --- trunk/java/org/apache/catalina/core/ApplicationHttpRequest.java 2009-01-13 14:52:23 UTC (rev 900) +++ trunk/java/org/apache/catalina/core/ApplicationHttpRequest.java 2009-01-15 15:49:36 UTC (rev 901) @@ -318,10 +318,9 @@ int pos = requestPath.lastIndexOf('/'); String relative = null; if (pos >= 0) { - relative = RequestUtil.normalize - (requestPath.substring(0, pos + 1) + path); + relative = requestPath.substring(0, pos + 1) + path; } else { - relative = RequestUtil.normalize(requestPath + path); + relative = requestPath + path; } return (context.getServletContext().getRequestDispatcher(relative)); Modified: trunk/java/org/apache/catalina/servlets/WebdavServlet.java =================================================================== --- trunk/java/org/apache/catalina/servlets/WebdavServlet.java 2009-01-13 14:52:23 UTC (rev 900) +++ trunk/java/org/apache/catalina/servlets/WebdavServlet.java 2009-01-15 15:49:36 UTC (rev 901) @@ -1418,71 +1418,6 @@ } - /** - * Return a context-relative path, beginning with a "/", that represents - * the canonical version of the specified path after ".." and "." elements - * are resolved out. If the specified path attempts to go outside the - * boundaries of the current context (i.e. too many ".." path elements - * are present), return <code>null</code> instead. - * - * @param path Path to be normalized - */ - protected String normalize(String path) { - - if (path == null) - return null; - - // Create a place for the normalized path - String normalized = path; - - if (normalized == null) - return (null); - - if (normalized.equals("/.")) - return "/"; - - // Normalize the slashes and add leading slash if necessary - if (normalized.indexOf('\\') >= 0) - normalized = normalized.replace('\\', '/'); - if (!normalized.startsWith("/")) - normalized = "/" + normalized; - - // Resolve occurrences of "//" in the normalized path - while (true) { - int index = normalized.indexOf("//"); - if (index < 0) - break; - normalized = normalized.substring(0, index) + - normalized.substring(index + 1); - } - - // Resolve occurrences of "/./" in the normalized path - while (true) { - int index = normalized.indexOf("/./"); - if (index < 0) - break; - normalized = normalized.substring(0, index) + - normalized.substring(index + 2); - } - - // Resolve occurrences of "/../" in the normalized path - while (true) { - int index = normalized.indexOf("/../"); - if (index < 0) - break; - if (index == 0) - return (null); // Trying to go outside our context - int index2 = normalized.lastIndexOf('/', index - 1); - normalized = normalized.substring(0, index2) + - normalized.substring(index + 3); - } - - // Return the normalized path that we have completed - return (normalized); - - } - - // -------------------------------------------------------- Private Methods /** @@ -1637,7 +1572,7 @@ } // Normalise destination path (remove '.' and '..') - destinationPath = normalize(destinationPath); + destinationPath = RequestUtil.normalize(destinationPath); String contextPath = req.getContextPath(); if ((contextPath != null) && @@ -2389,7 +2324,7 @@ if (!toAppend.startsWith("/")) toAppend = "/" + toAppend; - generatedXML.writeText(rewriteUrl(normalize(absoluteUri + toAppend))); + generatedXML.writeText(rewriteUrl(RequestUtil.normalize(absoluteUri + toAppend))); generatedXML.writeElement(null, "href", XMLWriter.CLOSING); Modified: trunk/java/org/apache/catalina/ssi/SSIServletRequestUtil.java =================================================================== --- trunk/java/org/apache/catalina/ssi/SSIServletRequestUtil.java 2009-01-13 14:52:23 UTC (rev 900) +++ trunk/java/org/apache/catalina/ssi/SSIServletRequestUtil.java 2009-01-15 15:49:36 UTC (rev 901) @@ -65,13 +65,6 @@ * Path to be normalized */ public static String normalize(String path) { - if (path == null) return null; - String normalized = path; - //Why doesn't RequestUtil do this?? - // Normalize the slashes and add leading slash if necessary - if (normalized.indexOf('\\') >= 0) - normalized = normalized.replace('\\', '/'); - normalized = RequestUtil.normalize(path); - return normalized; + return RequestUtil.normalize(path); } } \ No newline at end of file Modified: trunk/java/org/apache/catalina/util/RequestUtil.java =================================================================== --- trunk/java/org/apache/catalina/util/RequestUtil.java 2009-01-13 14:52:23 UTC (rev 900) +++ trunk/java/org/apache/catalina/util/RequestUtil.java 2009-01-15 15:49:36 UTC (rev 901) @@ -93,13 +93,29 @@ * @param path Relative path to be normalized */ public static String normalize(String path) { + return normalize(path, true); + } + /** + * Normalize a relative URI path that may have relative values ("/./", + * "/../", and so on ) it it. <strong>WARNING</strong> - This method is + * useful only for normalizing application-generated paths. It does not + * try to perform security checks for malicious input. + * + * @param path Relative path to be normalized + * @param replaceBackSlash Should '\\' be replaced with '/' + */ + public static String normalize(String path, boolean replaceBackSlash) { + if (path == null) return null; // Create a place for the normalized path String normalized = path; + if (replaceBackSlash && normalized.indexOf('\\') >= 0) + normalized = normalized.replace('\\', '/'); + if (normalized.equals("/.")) return "/"; Modified: trunk/java/org/apache/naming/resources/FileDirContext.java =================================================================== --- trunk/java/org/apache/naming/resources/FileDirContext.java 2009-01-13 14:52:23 UTC (rev 900) +++ trunk/java/org/apache/naming/resources/FileDirContext.java 2009-01-15 15:49:36 UTC (rev 901) @@ -29,14 +29,21 @@ import java.util.Hashtable; import javax.naming.NameAlreadyBoundException; +import javax.naming.NameNotFoundException; import javax.naming.NamingEnumeration; import javax.naming.NamingException; +import javax.naming.NotContextException; import javax.naming.OperationNotSupportedException; +import javax.naming.directory.AttributeModificationException; import javax.naming.directory.Attributes; import javax.naming.directory.DirContext; +import javax.naming.directory.InvalidAttributesException; +import javax.naming.directory.InvalidSearchControlsException; +import javax.naming.directory.InvalidSearchFilterException; import javax.naming.directory.ModificationItem; import javax.naming.directory.SearchControls; +import org.apache.catalina.util.RequestUtil; import org.apache.naming.NamingContextBindingsEnumeration; import org.apache.naming.NamingContextEnumeration; import org.apache.naming.NamingEntry; @@ -754,61 +761,11 @@ // ------------------------------------------------------ Protected Methods - /** - * Return a context-relative path, beginning with a "/", that represents - * the canonical version of the specified path after ".." and "." elements - * are resolved out. If the specified path attempts to go outside the - * boundaries of the current context (i.e. too many ".." path elements - * are present), return <code>null</code> instead. - * - * @param path Path to be normalized - */ - protected String normalize(String path) { - - String normalized = path; - - // Normalize the slashes and add leading slash if necessary - if (File.separatorChar == '\\' && normalized.indexOf('\\') >= 0) - normalized = normalized.replace('\\', '/'); - if (!normalized.startsWith("/")) - normalized = "/" + normalized; - - // Resolve occurrences of "//" in the normalized path - while (true) { - int index = normalized.indexOf("//"); - if (index < 0) - break; - normalized = normalized.substring(0, index) + - normalized.substring(index + 1); + protected static String normalize(String path) { + return RequestUtil.normalize(path, File.separatorChar == '\\'); } - // Resolve occurrences of "/./" in the normalized path - while (true) { - int index = normalized.indexOf("/./"); - if (index < 0) - break; - normalized = normalized.substring(0, index) + - normalized.substring(index + 2); - } - // Resolve occurrences of "/../" in the normalized path - while (true) { - int index = normalized.indexOf("/../"); - if (index < 0) - break; - if (index == 0) - return (null); // Trying to go outside our context - int index2 = normalized.lastIndexOf('/', index - 1); - normalized = normalized.substring(0, index2) + - normalized.substring(index + 3); - } - - // Return the normalized path that we have completed - return (normalized); - - } - - /** * Return a File object representing the specified normalized * context-relative path if it exists and is readable. Otherwise,