Bug 43079 - pattern verification broken
Summary: pattern verification broken
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.23
Hardware: Other other
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-09 15:12 UTC by Marius Scurtescu
Modified: 2008-07-30 13:38 UTC (History)
1 user (show)



Attachments
Patch to SecurityCollection.java to fix the Suspicious warning messages (588 bytes, text/plain)
2007-08-10 14:33 UTC, John Kew
Details
Modified patch to SecurityCollection w/ better link (1.02 KB, text/plain)
2007-09-13 10:59 UTC, John Kew
Details
Patch: fixed possible indexOutOfBounds Exception for url-patterns which are just '*' (892 bytes, patch)
2007-09-13 12:53 UTC, John Kew
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marius Scurtescu 2007-08-09 15:12:32 UTC
The addPattern method of SecurityCollection looks for suspicious URL patterns
and reports them as warnings if in debug mode.

The second if, the one checking for second to last '/' is broken. Instead of:
  if (pattern.charAt(pattern.length()-1) != '/')
it probably should be:
  if (pattern.charAt(pattern.length()-2) != '/')

The code makes reference to bug 34805, this is where this code was proposed as a
patch to RealmBase originally. This issue was reported there in comment #4 (and
approved).
Comment 1 John Kew 2007-08-10 14:33:48 UTC
Created attachment 20640 [details]
Patch to SecurityCollection.java to fix the Suspicious warning messages

I tested this on tc5.5x without and there were decent number of errant warnings
for any '/*' patterns. This patch removed them.
Comment 2 Marius Scurtescu 2007-08-10 14:43:46 UTC
Also, if possible, in the log message you may want to point to the servlet 2.4
documentation, since this is what tomcat 5.5 supports. Currently it is pointing
to a servlet 2.3 pdf document.
Comment 3 John Kew 2007-09-13 10:55:30 UTC
Comment on attachment 20640 [details]
Patch to SecurityCollection.java to fix the Suspicious warning messages

old patch
Comment 4 John Kew 2007-09-13 10:59:14 UTC
Created attachment 20820 [details]
Modified patch to SecurityCollection w/ better link

Added a slightly better link to the documentation. referenced this bug.
Comment 5 John Kew 2007-09-13 12:53:45 UTC
Created attachment 20821 [details]
Patch: fixed possible indexOutOfBounds Exception for url-patterns which are just '*'

Found a bug in the original patch. It didn't check if the length was < 2. This
is a bad url, so we also print the error under these conditions.
Comment 6 Mark Thomas 2008-05-04 03:43:20 UTC
Thanks for the patch.

This has been fixed in trunk and proposed for 6.0.x and 5.5.x
Comment 7 Mark Thomas 2008-05-15 12:57:13 UTC
This has been fixed in 6.0.x and will be included in 6.0.17 onwards.
Comment 8 Mark Thomas 2008-07-30 13:38:53 UTC
This has been fixed in 5.5.x and will be included in 5.5.27 onwards.