Attachment #251387 for bug #272566




import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;

import org.apache.catalina.util.RequestUtil;
import org.apache.naming.NamingContextBindingsEnumeration;
import org.apache.naming.NamingContextEnumeration;
import org.apache.naming.NamingEntry;

     */
    protected String normalize(String path) {

        return RequestUtil.normalize(path, File.separatorChar == '\\');

    // Normalize the slashes and add leading slash if necessary
    if (File.separatorChar == '\\' && normalized.indexOf('\\') >= 0)
        normalized = normalized.replace('\\', '/');
    if (!normalized.startsWith("/"))
        normalized = "/" + normalized;

    // Resolve occurrences of "//" in the normalized path
    while (true) {
        int index = normalized.indexOf("//");
        if (index < 0)
        break;
        normalized = normalized.substring(0, index) +
        normalized.substring(index + 1);
    }

    // Resolve occurrences of "/./" in the normalized path
    while (true) {
        int index = normalized.indexOf("/./");
        if (index < 0)
        break;
        normalized = normalized.substring(0, index) +
        normalized.substring(index + 2);
    }

    // Resolve occurrences of "/../" in the normalized path
    while (true) {
        int index = normalized.indexOf("/../");
        if (index < 0)
        break;
        if (index == 0)
        return (null);  // Trying to go outside our context
        int index2 = normalized.lastIndexOf('/', index - 1);
        normalized = normalized.substring(0, index2) +
        normalized.substring(index + 3);
    }

    // Return the normalized path that we have completed
    return (normalized);

    }


    /**
     * Return a File object representing the specified normalized
     * context-relative path if it exists and is readable.  Otherwise,

Lines 318-327 Link Here

(-)container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java (-3 / +2 lines)
318	int pos = requestPath.lastIndexOf('/');	318	int pos = requestPath.lastIndexOf('/');
319	String relative = null;	319	String relative = null;
320	if (pos >= 0) {	320	if (pos >= 0) {
321	relative = RequestUtil.normalize	321	relative = requestPath.substring(0, pos + 1) + path;
322	(requestPath.substring(0, pos + 1) + path);
323	} else {	322	} else {
324	relative = RequestUtil.normalize(requestPath + path);	323	relative = requestPath + path;
325	}	324	}
326		325
327	return (context.getServletContext().getRequestDispatcher(relative));	326	return (context.getServletContext().getRequestDispatcher(relative));




import org.apache.catalina.Wrapper;
import org.apache.catalina.deploy.ApplicationParameter;
import org.apache.catalina.util.Enumerator;
import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.ResourceSet;
import org.apache.catalina.util.ServerInfo;
import org.apache.catalina.util.StringManager;

            path = path.substring(0, pos); 
        }
 
        path = RequestUtil.normalize(path);
        if (path == null)
            return (null);


            throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path));
        }
        
        path = RequestUtil.normalize(path);
        if (path == null)
            return (null);


     */
    public InputStream getResourceAsStream(String path) {

        path = normalize(path);
        if (path == null || !path.startsWith("/"))
            return (null);

        path = RequestUtil.normalize(path);
        if (path == null)
            return null;

        DirContext resources = context.getResources();
        if (resources != null) {
            try {

                (sm.getString("applicationContext.resourcePaths.iae", path));
        }

        path = RequestUtil.normalize(path);
        if (path == null)
            return (null);




    /**
     * Return a context-relative path, beginning with a "/", that represents
     * the canonical version of the specified path after ".." and "." elements
     * are resolved out.  If the specified path attempts to go outside the
     * boundaries of the current context (i.e. too many ".." path elements
     * are present), return <code>null</code> instead.
     *
     * @param path Path to be normalized
     */
    private String normalize(String path) {

        if (path == null) {
            return null;
        }

        String normalized = path;

        // Normalize the slashes
        if (normalized.indexOf('\\') >= 0)
            normalized = normalized.replace('\\', '/');

        // Resolve occurrences of "/../" in the normalized path
        while (true) {
            int index = normalized.indexOf("/../");
            if (index < 0)
                break;
            if (index == 0)
                return (null);  // Trying to go outside our context
            int index2 = normalized.lastIndexOf('/', index - 1);
            normalized = normalized.substring(0, index2) +
                normalized.substring(index + 3);
        }

        // Return the normalized path that we have completed
        return (normalized);

    }


    /**
     * Merge the context initialization parameters specified in the application
     * deployment descriptor with the application parameters described in the
     * server configuration, respecting the <code>override</code> property of




        resp.setStatus(WebdavStatus.SC_NO_CONTENT);
    }

    /**
     * Return a context-relative path, beginning with a "/", that represents
     * the canonical version of the specified path after ".." and "." elements
     * are resolved out.  If the specified path attempts to go outside the
     * boundaries of the current context (i.e. too many ".." path elements
     * are present), return <code>null</code> instead.
     *
     * @param path Path to be normalized
     */
    protected String normalize(String path) {
        if (path == null) {
            return null;
        }

        // Create a place for the normalized path
        String normalized = path;

        if (normalized.equals("/.")) {
            return "/";
        }

        // Normalize the slashes and add leading slash if necessary
        if (normalized.indexOf('\\') >= 0) {
            normalized = normalized.replace('\\', '/');
        }

        if (!normalized.startsWith("/")) {
            normalized = "/" + normalized;
        }

        // Resolve occurrences of "//" in the normalized path
        while (true) {
            int index = normalized.indexOf("//");
            if (index < 0) {
                break;
            }
            normalized = normalized.substring(0, index) +
                normalized.substring(index + 1);
        }

        // Resolve occurrences of "/./" in the normalized path
        while (true) {
            int index = normalized.indexOf("/./");
            if (index < 0) {
                break;
            }
            normalized = normalized.substring(0, index) +
                normalized.substring(index + 2);
        }

        // Resolve occurrences of "/../" in the normalized path
        while (true) {
            int index = normalized.indexOf("/../");
            if (index < 0) {
                break;
            }
            if (index == 0) {
                return (null);  // Trying to go outside our context
            }

            int index2 = normalized.lastIndexOf('/', index - 1);
            normalized = normalized.substring(0, index2) +
                normalized.substring(index + 3);
        }

        // Return the normalized path that we have completed
        return (normalized);
    }


    // -------------------------------------------------------- Private Methods

    /**

        }

        // Normalise destination path (remove '.' and '..')
        destinationPath = RequestUtil.normalize(destinationPath);

        String contextPath = req.getContextPath();
        if ((contextPath != null) &&

        if (!toAppend.startsWith("/"))
            toAppend = "/" + toAppend;

        generatedXML.writeText(rewriteUrl(RequestUtil.normalize(
                absoluteUri + toAppend)));

        generatedXML.writeElement(null, "href", XMLWriter.CLOSING);


Lines 1243-1252 Link Here

(-)container/catalina/src/share/org/apache/catalina/connector/Request.java (-3 / +2 lines)
1243	int pos = requestPath.lastIndexOf('/');	1243	int pos = requestPath.lastIndexOf('/');
1244	String relative = null;	1244	String relative = null;
1245	if (pos >= 0) {	1245	if (pos >= 0) {
1246	relative = RequestUtil.normalize	1246	relative = requestPath.substring(0, pos + 1) + path;
1247	(requestPath.substring(0, pos + 1) + path);
1248	} else {	1247	} else {
1249	relative = RequestUtil.normalize(requestPath + path);	1248	relative = requestPath + path;
1250	}	1249	}
1251		1250
1252	return (context.getServletContext().getRequestDispatcher(relative));	1251	return (context.getServletContext().getRequestDispatcher(relative));




        if ((result == null) || (result.equals(""))) {
            result = "/";
        }
        return RequestUtil.normalize(result);
    }



     * 
     * @param path
     *            Path to be normalized
     * @deprecated
     */
    public static String normalize(String path) {
        return RequestUtil.normalize(path);
        String normalized = path;
        //Why doesn't RequestUtil do this??
        // Normalize the slashes and add leading slash if necessary
        if (normalized.indexOf('\\') >= 0)
            normalized = normalized.replace('\\', '/');
        normalized = RequestUtil.normalize(path);
        return normalized;
    }
}




import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.connector.Request;
import org.apache.catalina.util.RequestUtil;
import org.apache.coyote.Constants;

/**

                    + pathWithoutContext);
        }
        String fullPath = prefix + path;
        String retVal = RequestUtil.normalize(fullPath);
        if (retVal == null) {
            throw new IOException("Normalization yielded null on path: "
                    + fullPath);

            return new ServletContextAndPath(context,
                    getAbsolutePath(virtualPath));
        } else {
            String normalized = RequestUtil.normalize(virtualPath);
            if (isVirtualWebappRelative) {
                return new ServletContextAndPath(context, normalized);
            } else {

Lines 147-159 Link Here

(-)container/catalina/src/share/org/apache/catalina/util/RequestUtil.java (+16 lines)
147	* @param path Relative path to be normalized	147	* @param path Relative path to be normalized
148	*/	148	*/
149	public static String normalize(String path) {	149	public static String normalize(String path) {
		150	return normalize(path, true);
		151	}
150		152
		153	/**
		154	* Normalize a relative URI path that may have relative values ("/./",
		155	* "/../", and so on ) it it. <strong>WARNING</strong> - This method is
		156	* useful only for normalizing application-generated paths. It does not
		157	* try to perform security checks for malicious input.
		158	*
		159	* @param path Relative path to be normalized
		160	* @param replaceBackSlash Should '\\' be replaced with '/'
		161	*/
		162	public static String normalize(String path, boolean replaceBackSlash) {
		163
151	if (path == null)	164	if (path == null)
152	return null;	165	return null;
153		166
154	// Create a place for the normalized path	167	// Create a place for the normalized path
155	String normalized = path;	168	String normalized = path;
156		169
		170	if (replaceBackSlash && normalized.indexOf('\\') >= 0)
		171	normalized = normalized.replace('\\', '/');
		172
157	if (normalized.equals("/."))	173	if (normalized.equals("/."))
158	return "/";	174	return "/";
159		175

Return to bug 272566

Lines 37-42 Link Here

(-)container/catalina/src/share/org/apache/naming/resources/FileDirContext.java (-41 / +2 lines)
37	import javax.naming.directory.ModificationItem;	37	import javax.naming.directory.ModificationItem;
38	import javax.naming.directory.SearchControls;	38	import javax.naming.directory.SearchControls;
39		39
		40	import org.apache.catalina.util.RequestUtil;
40	import org.apache.naming.NamingContextBindingsEnumeration;	41	import org.apache.naming.NamingContextBindingsEnumeration;
41	import org.apache.naming.NamingContextEnumeration;	42	import org.apache.naming.NamingContextEnumeration;
42	import org.apache.naming.NamingEntry;	43	import org.apache.naming.NamingEntry;
Lines 773-822 Link Here
773	*/	774	*/
774	protected String normalize(String path) {	775	protected String normalize(String path) {
775		776
776	String normalized = path;	777	return RequestUtil.normalize(path, File.separatorChar == '\\');
777		778
778	// Normalize the slashes and add leading slash if necessary
779	if (File.separatorChar == '\\' && normalized.indexOf('\\') >= 0)
780	normalized = normalized.replace('\\', '/');
781	if (!normalized.startsWith("/"))
782	normalized = "/" + normalized;
783
784	// Resolve occurrences of "//" in the normalized path
785	while (true) {
786	int index = normalized.indexOf("//");
787	if (index < 0)
788	break;
789	normalized = normalized.substring(0, index) +
790	normalized.substring(index + 1);
791	}	779	}
792		780
793	// Resolve occurrences of "/./" in the normalized path
794	while (true) {
795	int index = normalized.indexOf("/./");
796	if (index < 0)
797	break;
798	normalized = normalized.substring(0, index) +
799	normalized.substring(index + 2);
800	}
801
802	// Resolve occurrences of "/../" in the normalized path
803	while (true) {
804	int index = normalized.indexOf("/../");
805	if (index < 0)
806	break;
807	if (index == 0)
808	return (null); // Trying to go outside our context
809	int index2 = normalized.lastIndexOf('/', index - 1);
810	normalized = normalized.substring(0, index2) +
811	normalized.substring(index + 3);
812	}
813
814	// Return the normalized path that we have completed
815	return (normalized);
816
817	}
818
819
820	/**	781	/**
821	* Return a File object representing the specified normalized	782	* Return a File object representing the specified normalized
822	* context-relative path if it exists and is readable. Otherwise,	783	* context-relative path if it exists and is readable. Otherwise,

Lines 43-48 Link Here

(-)container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java (-43 / +8 lines)
43	import org.apache.catalina.Wrapper;	43	import org.apache.catalina.Wrapper;
44	import org.apache.catalina.deploy.ApplicationParameter;	44	import org.apache.catalina.deploy.ApplicationParameter;
45	import org.apache.catalina.util.Enumerator;	45	import org.apache.catalina.util.Enumerator;
		46	import org.apache.catalina.util.RequestUtil;
46	import org.apache.catalina.util.ResourceSet;	47	import org.apache.catalina.util.ResourceSet;
47	import org.apache.catalina.util.ServerInfo;	48	import org.apache.catalina.util.ServerInfo;
48	import org.apache.catalina.util.StringManager;	49	import org.apache.catalina.util.StringManager;
Lines 388-394 Link Here
388	path = path.substring(0, pos);	389	path = path.substring(0, pos);
389	}	390	}
390		391
391	path = normalize(path);	392	path = RequestUtil.normalize(path);
392	if (path == null)	393	if (path == null)
393	return (null);	394	return (null);
394		395
Lines 475-481 Link Here
475	throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path));	476	throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path));
476	}	477	}
477		478
478	path = normalize(path);	479	path = RequestUtil.normalize(path);
479	if (path == null)	480	if (path == null)
480	return (null);	481	return (null);
481		482
Lines 524-533 Link Here
524	*/	525	*/
525	public InputStream getResourceAsStream(String path) {	526	public InputStream getResourceAsStream(String path) {
526		527
527	path = normalize(path);
528	if (path == null \|\| !path.startsWith("/"))	528	if (path == null \|\| !path.startsWith("/"))
529	return (null);	529	return (null);
530		530
		531	path = RequestUtil.normalize(path);
		532	if (path == null)
		533	return null;
		534
531	DirContext resources = context.getResources();	535	DirContext resources = context.getResources();
532	if (resources != null) {	536	if (resources != null) {
533	try {	537	try {
Lines 560-566 Link Here
560	(sm.getString("applicationContext.resourcePaths.iae", path));	564	(sm.getString("applicationContext.resourcePaths.iae", path));
561	}	565	}
562		566
563	path = normalize(path);	567	path = RequestUtil.normalize(path);
564	if (path == null)	568	if (path == null)
565	return (null);	569	return (null);
566		570
Lines 870-914 Link Here
870		874
871		875
872	/**	876	/**
873	* Return a context-relative path, beginning with a "/", that represents
874	* the canonical version of the specified path after ".." and "." elements
875	* are resolved out. If the specified path attempts to go outside the
876	* boundaries of the current context (i.e. too many ".." path elements
877	* are present), return <code>null</code> instead.
878	*
879	* @param path Path to be normalized
880	*/
881	private String normalize(String path) {
882
883	if (path == null) {
884	return null;
885	}
886
887	String normalized = path;
888
889	// Normalize the slashes
890	if (normalized.indexOf('\\') >= 0)
891	normalized = normalized.replace('\\', '/');
892
893	// Resolve occurrences of "/../" in the normalized path
894	while (true) {
895	int index = normalized.indexOf("/../");
896	if (index < 0)
897	break;
898	if (index == 0)
899	return (null); // Trying to go outside our context
900	int index2 = normalized.lastIndexOf('/', index - 1);
901	normalized = normalized.substring(0, index2) +
902	normalized.substring(index + 3);
903	}
904
905	// Return the normalized path that we have completed
906	return (normalized);
907
908	}
909
910
911	/**
912	* Merge the context initialization parameters specified in the application	877	* Merge the context initialization parameters specified in the application
913	* deployment descriptor with the application parameters described in the	878	* deployment descriptor with the application parameters described in the
914	* server configuration, respecting the <code>override</code> property of	879	* server configuration, respecting the <code>override</code> property of

Lines 1369-1444 Link Here

(-)container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (-72 / +3 lines)
1369	resp.setStatus(WebdavStatus.SC_NO_CONTENT);	1369	resp.setStatus(WebdavStatus.SC_NO_CONTENT);
1370	}	1370	}
1371		1371
1372	/**
1373	* Return a context-relative path, beginning with a "/", that represents
1374	* the canonical version of the specified path after ".." and "." elements
1375	* are resolved out. If the specified path attempts to go outside the
1376	* boundaries of the current context (i.e. too many ".." path elements
1377	* are present), return <code>null</code> instead.
1378	*
1379	* @param path Path to be normalized
1380	*/
1381	protected String normalize(String path) {
1382	if (path == null) {
1383	return null;
1384	}
1385
1386	// Create a place for the normalized path
1387	String normalized = path;
1388
1389	if (normalized.equals("/.")) {
1390	return "/";
1391	}
1392
1393	// Normalize the slashes and add leading slash if necessary
1394	if (normalized.indexOf('\\') >= 0) {
1395	normalized = normalized.replace('\\', '/');
1396	}
1397
1398	if (!normalized.startsWith("/")) {
1399	normalized = "/" + normalized;
1400	}
1401
1402	// Resolve occurrences of "//" in the normalized path
1403	while (true) {
1404	int index = normalized.indexOf("//");
1405	if (index < 0) {
1406	break;
1407	}
1408	normalized = normalized.substring(0, index) +
1409	normalized.substring(index + 1);
1410	}
1411
1412	// Resolve occurrences of "/./" in the normalized path
1413	while (true) {
1414	int index = normalized.indexOf("/./");
1415	if (index < 0) {
1416	break;
1417	}
1418	normalized = normalized.substring(0, index) +
1419	normalized.substring(index + 2);
1420	}
1421
1422	// Resolve occurrences of "/../" in the normalized path
1423	while (true) {
1424	int index = normalized.indexOf("/../");
1425	if (index < 0) {
1426	break;
1427	}
1428	if (index == 0) {
1429	return (null); // Trying to go outside our context
1430	}
1431
1432	int index2 = normalized.lastIndexOf('/', index - 1);
1433	normalized = normalized.substring(0, index2) +
1434	normalized.substring(index + 3);
1435	}
1436
1437	// Return the normalized path that we have completed
1438	return (normalized);
1439	}
1440
1441
1442	// -------------------------------------------------------- Private Methods	1372	// -------------------------------------------------------- Private Methods
1443		1373
1444	/**	1374	/**
Lines 1589-1595 Link Here
1589	}	1519	}
1590		1520
1591	// Normalise destination path (remove '.' and '..')	1521	// Normalise destination path (remove '.' and '..')
1592	destinationPath = normalize(destinationPath);	1522	destinationPath = RequestUtil.normalize(destinationPath);
1593		1523
1594	String contextPath = req.getContextPath();	1524	String contextPath = req.getContextPath();
1595	if ((contextPath != null) &&	1525	if ((contextPath != null) &&
Lines 2347-2353 Link Here
2347	if (!toAppend.startsWith("/"))	2277	if (!toAppend.startsWith("/"))
2348	toAppend = "/" + toAppend;	2278	toAppend = "/" + toAppend;
2349		2279
2350	generatedXML.writeText(rewriteUrl(normalize(absoluteUri + toAppend)));	2280	generatedXML.writeText(rewriteUrl(RequestUtil.normalize(
		2281	absoluteUri + toAppend)));
2351		2282
2352	generatedXML.writeElement(null, "href", XMLWriter.CLOSING);	2283	generatedXML.writeElement(null, "href", XMLWriter.CLOSING);
2353		2284

Lines 32-37 Link Here

(-)container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java (-2 / +3 lines)
32	import javax.servlet.http.HttpServletRequest;	32	import javax.servlet.http.HttpServletRequest;
33	import javax.servlet.http.HttpServletResponse;	33	import javax.servlet.http.HttpServletResponse;
34	import org.apache.catalina.connector.Request;	34	import org.apache.catalina.connector.Request;
		35	import org.apache.catalina.util.RequestUtil;
35	import org.apache.coyote.Constants;	36	import org.apache.coyote.Constants;
36		37
37	/**	38	/**
Lines 373-379 Link Here
373	+ pathWithoutContext);	374	+ pathWithoutContext);
374	}	375	}
375	String fullPath = prefix + path;	376	String fullPath = prefix + path;
376	String retVal = SSIServletRequestUtil.normalize(fullPath);	377	String retVal = RequestUtil.normalize(fullPath);
377	if (retVal == null) {	378	if (retVal == null) {
378	throw new IOException("Normalization yielded null on path: "	379	throw new IOException("Normalization yielded null on path: "
379	+ fullPath);	380	+ fullPath);
Lines 406-412 Link Here
406	return new ServletContextAndPath(context,	407	return new ServletContextAndPath(context,
407	getAbsolutePath(virtualPath));	408	getAbsolutePath(virtualPath));
408	} else {	409	} else {
409	String normalized = SSIServletRequestUtil.normalize(virtualPath);	410	String normalized = RequestUtil.normalize(virtualPath);
410	if (isVirtualWebappRelative) {	411	if (isVirtualWebappRelative) {
411	return new ServletContextAndPath(context, normalized);	412	return new ServletContextAndPath(context, normalized);
412	} else {	413	} else {

Lines 48-54 Link Here

(-)container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java (-9 / +3 lines)
48	if ((result == null) \|\| (result.equals(""))) {	48	if ((result == null) \|\| (result.equals(""))) {
49	result = "/";	49	result = "/";
50	}	50	}
51	return normalize(result);	51	return RequestUtil.normalize(result);
52	}	52	}
53		53
54		54
Lines 64-78 Link Here
64	*	64	*
65	* @param path	65	* @param path
66	* Path to be normalized	66	* Path to be normalized
		67	* @deprecated
67	*/	68	*/
68	public static String normalize(String path) {	69	public static String normalize(String path) {
69	if (path == null) return null;	70	return RequestUtil.normalize(path);
70	String normalized = path;
71	//Why doesn't RequestUtil do this??
72	// Normalize the slashes and add leading slash if necessary
73	if (normalized.indexOf('\\') >= 0)
74	normalized = normalized.replace('\\', '/');
75	normalized = RequestUtil.normalize(path);
76	return normalized;
77	}	71	}
78	}	72	}