File apache-tomcat-CVE-2008-2938.patch of Package tomcat55

Overview Repositories Revisions Requests Users Attributes Meta

File apache-tomcat-CVE-2008-2938.patch of Package tomcat55

--- apache-tomcat-5.5.23-src/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
+++ apache-tomcat-5.5.23-src/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
@@ -260,6 +260,12 @@
             }
         }
 
+        // Check that the URI is still normalized
+        if (!checkNormalize(req.decodedURI())) {
+            res.setStatus(400);
+            res.setMessage("Invalid URI character encoding");
+            return false;
+        }
         // Parse cookies
         parseCookies(req, request);
 
@@ -664,6 +670,68 @@
 
     }
 
+    /**
+     * Check that the URI is normalized following character decoding.
+     * <p>
+     * This method checks for "\", 0, "//", "/./" and "/../". This method will
+     * return false if sequences that are supposed to be normalized are still 
+     * present in the URI.
+     * 
+     * @param uriMB URI to be checked (should be chars)
+     */
+    public static boolean checkNormalize(MessageBytes uriMB) {
+
+        CharChunk uriCC = uriMB.getCharChunk();
+        char[] c = uriCC.getChars();
+        int start = uriCC.getStart();
+        int end = uriCC.getEnd();
+
+        int pos = 0;
+
+        // Check for '\' and 0
+        for (pos = start; pos < end; pos++) {
+            if (c[pos] == '\\') {
+                return false;
+            }
+            if (c[pos] == 0) {
+                return false;
+            }
+        }
+
+        // Check for "//"
+        for (pos = start; pos < (end - 1); pos++) {
+            if (c[pos] == '/') {
+                if (c[pos + 1] == '/') {
+                    return false;
+                }
+            }
+        }
+
+        // Check for ending with "/." or "/.."
+        if (((end - start) >= 2) && (c[end - 1] == '.')) {
+            if ((c[end - 2] == '/') 
+                    || ((c[end - 2] == '.') 
+                    && (c[end - 3] == '/'))) {
+                return false;
+            }
+        }
+
+        // Check for "/./"
+        if (uriCC.indexOf("/./", 0, 3, 0) >= 0) {
+            return false;
+        }
+
+        // Check for "/../"
+        if (uriCC.indexOf("/../", 0, 4, 0) >= 0) {
+            return false;
+        }
+
+        return true;
+
+    }
+
+
+
 
     // ------------------------------------------------------ Protected Methods
 
--- apache-tomcat-5.5.23-src/container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java
+++ apache-tomcat-5.5.23-src/container/catalina/src/share/org/apache/catalina/connector/CoyoteAdapter.java
@@ -327,6 +327,12 @@
             return false;
         }
 
+        // Check that the URI is still normalized
+        if (!checkNormalize(req.decodedURI())) {
+            res.setStatus(400);
+            res.setMessage("Invalid URI character encoding");
+            return false;
+        }
         // Parse session Id
         parseSessionCookiesId(req, request);
 
@@ -599,6 +605,68 @@
 
     }
 
+    /**
+     * Check that the URI is normalized following character decoding.
+     * <p>
+     * This method checks for "\", 0, "//", "/./" and "/../". This method will
+     * return false if sequences that are supposed to be normalized are still 
+     * present in the URI.
+     * 
+     * @param uriMB URI to be checked (should be chars)
+     */
+    public static boolean checkNormalize(MessageBytes uriMB) {
+
+        CharChunk uriCC = uriMB.getCharChunk();
+        char[] c = uriCC.getChars();
+        int start = uriCC.getStart();
+        int end = uriCC.getEnd();
+
+        int pos = 0;
+
+        // Check for '\' and 0
+        for (pos = start; pos < end; pos++) {
+            if (c[pos] == '\\') {
+                return false;
+            }
+            if (c[pos] == 0) {
+                return false;
+            }
+        }
+
+        // Check for "//"
+        for (pos = start; pos < (end - 1); pos++) {
+            if (c[pos] == '/') {
+                if (c[pos + 1] == '/') {
+                    return false;
+                }
+            }
+        }
+
+        // Check for ending with "/." or "/.."
+        if (((end - start) >= 2) && (c[end - 1] == '.')) {
+            if ((c[end - 2] == '/') 
+                    || ((c[end - 2] == '.') 
+                    && (c[end - 3] == '/'))) {
+                return false;
+            }
+        }
+
+        // Check for "/./"
+        if (uriCC.indexOf("/./", 0, 3, 0) >= 0) {
+            return false;
+        }
+
+        // Check for "/../"
+        if (uriCC.indexOf("/../", 0, 4, 0) >= 0) {
+            return false;
+        }
+
+        return true;
+
+    }
+
+
+
 
     // ------------------------------------------------------ Protected Methods

Places

File apache-tomcat-CVE-2008-2938.patch of Package tomcat55

Places