Blame SOURCES/tomcat-7.0.76-rhbz-1455483.patch

6f268b
diff -up java/org/apache/coyote/http11/AbstractHttp11Processor.java.orig java/org/apache/coyote/http11/AbstractHttp11Processor.java
6f268b
--- java/org/apache/coyote/http11/AbstractHttp11Processor.java.orig	2017-03-09 08:51:40.000000000 -0500
6f268b
+++ java/org/apache/coyote/http11/AbstractHttp11Processor.java	2019-03-05 14:58:20.285295932 -0500
6f268b
@@ -48,6 +48,7 @@ import org.apache.tomcat.util.buf.HexUti
6f268b
 import org.apache.tomcat.util.buf.MessageBytes;
6f268b
 import org.apache.tomcat.util.http.FastHttpDateFormat;
6f268b
 import org.apache.tomcat.util.http.MimeHeaders;
6f268b
+import org.apache.tomcat.util.http.parser.HttpParser;
6f268b
 import org.apache.tomcat.util.log.UserDataHelper;
6f268b
 import org.apache.tomcat.util.net.AbstractEndpoint;
6f268b
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
6f268b
@@ -262,6 +263,9 @@ public abstract class AbstractHttp11Proc
6f268b
     protected org.apache.coyote.http11.upgrade.UpgradeInbound upgradeInbound = null;
6f268b
 
6f268b
 
6f268b
+    protected HttpParser httpParser;
6f268b
+
6f268b
+
6f268b
     /**
6f268b
      * Instance of the new protocol to use after the HTTP connection has been
6f268b
      * upgraded using the Servlet 3.1 based upgrade process.
6f268b
@@ -1301,33 +1305,62 @@ public abstract class AbstractHttp11Proc
6f268b
             }
6f268b
         }
6f268b
 
6f268b
-        // Check for a full URI (including protocol://host:port/)
6f268b
+        // Check for an absolute-URI less the query string which has already
6f268b
+        // been removed during the parsing of the request line
6f268b
         ByteChunk uriBC = request.requestURI().getByteChunk();
6f268b
+        byte[] uriB = uriBC.getBytes();
6f268b
         if (uriBC.startsWithIgnoreCase("http", 0)) {
6f268b
 
6f268b
-            int pos = uriBC.indexOf("://", 0, 3, 4);
6f268b
-            int uriBCStart = uriBC.getStart();
6f268b
-            int slashPos = -1;
6f268b
-            if (pos != -1) {
6f268b
-                byte[] uriB = uriBC.getBytes();
6f268b
-                slashPos = uriBC.indexOf('/', pos + 3);
6f268b
+            int pos = 4;
6f268b
+            // Check for https
6f268b
+            if (uriBC.startsWithIgnoreCase("s", pos)) {
6f268b
+                pos++;
6f268b
+            }
6f268b
+            // Next 3 characters must be "://"
6f268b
+            if (uriBC.startsWith("://", pos)) {
6f268b
+                int uriBCStart = uriBC.getStart();
6f268b
+
6f268b
+                // '/' does not appear in the authority so use the first
6f268b
+                // instance to split the authority and the path segments
6f268b
+                int slashPos = uriBC.indexOf('/', pos);
6f268b
+                // '@' in the authority delimits the userinfo
6f268b
+
6f268b
                 if (slashPos == -1) {
6f268b
                     slashPos = uriBC.getLength();
6f268b
-                    // Set URI as "/"
6f268b
-                    request.requestURI().setBytes
6f268b
-                        (uriB, uriBCStart + pos + 1, 1);
6f268b
+                    // Set URI as "/". Use 6 as it will always be a '/'.
6f268b
+                    // 01234567
6f268b
+                    // http://
6f268b
+                    // https://
6f268b
+                    request.requestURI().setBytes(uriB, uriBCStart + 6, 1);
6f268b
                 } else {
6f268b
-                    request.requestURI().setBytes
6f268b
-                        (uriB, uriBCStart + slashPos,
6f268b
-                         uriBC.getLength() - slashPos);
6f268b
+                    request.requestURI().setBytes(uriB, uriBCStart + slashPos, uriBC.getLength() - slashPos);
6f268b
                 }
6f268b
                 MessageBytes hostMB = headers.setValue("host");
6f268b
                 hostMB.setBytes(uriB, uriBCStart + pos + 3,
6f268b
                                 slashPos - pos - 3);
6f268b
+            } else {
6f268b
+                response.setStatus(400);
6f268b
+                setErrorState(ErrorState.CLOSE_CLEAN, null);
6f268b
+                if (getLog().isDebugEnabled()) {
6f268b
+                    getLog().debug(sm.getString("http11processor.request.invalidScheme"));
6f268b
+                }
6f268b
             }
6f268b
 
6f268b
         }
6f268b
 
6f268b
+        // Validate the characters in the URI. %nn decoding will be checked at
6f268b
+        // the point of decoding.
6f268b
+        for (int i = uriBC.getStart(); i < uriBC.getEnd(); i++) {
6f268b
+            if (!httpParser.isAbsolutePathRelaxed(uriB[i])) {
6f268b
+                response.setStatus(400);
6f268b
+                setErrorState(ErrorState.CLOSE_CLEAN, null);
6f268b
+                if (getLog().isDebugEnabled()) {
6f268b
+                    getLog().debug(sm.getString("http11processor.request.invalidUri"));
6f268b
+                }
6f268b
+                break;
6f268b
+            }
6f268b
+        }
6f268b
+
6f268b
         // Input filter setup
6f268b
         InputFilter[] inputFilters = getInputBuffer().getFilters();
6f268b
 
6f268b
@@ -1364,8 +1397,7 @@ public abstract class AbstractHttp11Proc
6f268b
                 headers.removeHeader("content-length");
6f268b
                 request.setContentLength(-1);
6f268b
             } else {
6f268b
-                getInputBuffer().addActiveFilter
6f268b
-                        (inputFilters[Constants.IDENTITY_FILTER]);
6f268b
+                getInputBuffer().addActiveFilter(inputFilters[Constants.IDENTITY_FILTER]);
6f268b
                 contentDelimitation = true;
6f268b
             }
6f268b
         }
6f268b
@@ -1383,14 +1415,14 @@ public abstract class AbstractHttp11Proc
6f268b
             }
6f268b
         }
6f268b
 
6f268b
+        // Validate host name and extract port if present
6f268b
         parseHost(valueMB);
6f268b
 
6f268b
         if (!contentDelimitation) {
6f268b
             // If there's no content length
6f268b
             // (broken HTTP/1.0 or HTTP/1.1), assume
6f268b
             // the client is not broken and didn't send a body
6f268b
-            getInputBuffer().addActiveFilter
6f268b
-                    (inputFilters[Constants.VOID_FILTER]);
6f268b
+            getInputBuffer().addActiveFilter(inputFilters[Constants.VOID_FILTER]);
6f268b
             contentDelimitation = true;
6f268b
         }
6f268b
 
6f268b
diff -up java/org/apache/coyote/http11/AbstractHttp11Protocol.java.orig java/org/apache/coyote/http11/AbstractHttp11Protocol.java
6f268b
--- java/org/apache/coyote/http11/AbstractHttp11Protocol.java.orig	2019-03-05 12:14:08.096279991 -0500
6f268b
+++ java/org/apache/coyote/http11/AbstractHttp11Protocol.java	2019-03-05 14:03:32.186921274 -0500
6f268b
@@ -45,6 +45,23 @@ public abstract class AbstractHttp11Prot
6f268b
     // ------------------------------------------------ HTTP specific properties
6f268b
     // ------------------------------------------ managed in the ProtocolHandler
6f268b
 
6f268b
+    private String relaxedPathChars = null;
6f268b
+    public String getRelaxedPathChars() {
6f268b
+        return relaxedPathChars;
6f268b
+    }
6f268b
+    public void setRelaxedPathChars(String relaxedPathChars) {
6f268b
+        this.relaxedPathChars = relaxedPathChars;
6f268b
+    }
6f268b
+
6f268b
+
6f268b
+    private String relaxedQueryChars = null;
6f268b
+    public String getRelaxedQueryChars() {
6f268b
+        return relaxedQueryChars;
6f268b
+    }
6f268b
+    public void setRelaxedQueryChars(String relaxedQueryChars) {
6f268b
+        this.relaxedQueryChars = relaxedQueryChars;
6f268b
+    }
6f268b
+
6f268b
     private int socketBuffer = 9000;
6f268b
     public int getSocketBuffer() { return socketBuffer; }
6f268b
     public void setSocketBuffer(int socketBuffer) {
6f268b
diff -up java/org/apache/coyote/http11/AbstractInputBuffer.java.orig java/org/apache/coyote/http11/AbstractInputBuffer.java
6f268b
--- java/org/apache/coyote/http11/AbstractInputBuffer.java.orig	2017-03-09 08:51:40.000000000 -0500
6f268b
+++ java/org/apache/coyote/http11/AbstractInputBuffer.java	2019-03-05 12:14:08.096279991 -0500
6f268b
@@ -22,6 +22,7 @@ import org.apache.coyote.InputBuffer;
6f268b
 import org.apache.coyote.Request;
6f268b
 import org.apache.tomcat.util.buf.ByteChunk;
6f268b
 import org.apache.tomcat.util.http.MimeHeaders;
6f268b
+import org.apache.tomcat.util.http.parser.HttpParser;
6f268b
 import org.apache.tomcat.util.net.AbstractEndpoint;
6f268b
 import org.apache.tomcat.util.net.SocketWrapper;
6f268b
 import org.apache.tomcat.util.res.StringManager;
6f268b
@@ -108,6 +109,9 @@ public abstract class AbstractInputBuffe
6f268b
     protected int lastActiveFilter;
6f268b
 
6f268b
 
6f268b
+    protected HttpParser httpParser;
6f268b
+
6f268b
+
6f268b
     // ------------------------------------------------------------- Properties
6f268b
 
6f268b
 
6f268b
diff -up java/org/apache/coyote/http11/Http11AprProcessor.java.orig java/org/apache/coyote/http11/Http11AprProcessor.java
6f268b
--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig	2019-03-05 12:13:47.032344988 -0500
6f268b
+++ java/org/apache/coyote/http11/Http11AprProcessor.java	2019-03-05 14:58:20.298295897 -0500
6f268b
@@ -35,6 +35,7 @@ import org.apache.tomcat.jni.SSLSocket;
6f268b
 import org.apache.tomcat.jni.Sockaddr;
6f268b
 import org.apache.tomcat.jni.Socket;
6f268b
 import org.apache.tomcat.util.ExceptionUtils;
6f268b
+import org.apache.tomcat.util.http.parser.HttpParser;
6f268b
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
6f268b
 import org.apache.tomcat.util.net.AprEndpoint;
6f268b
 import org.apache.tomcat.util.net.SSLSupport;
6f268b
@@ -61,11 +62,15 @@ public class Http11AprProcessor extends
6f268b
 
6f268b
 
6f268b
     public Http11AprProcessor(int headerBufferSize, AprEndpoint endpoint, int maxTrailerSize,
6f268b
-            Set<String> allowedTrailerHeaders, int maxExtensionSize, int maxSwallowSize) {
6f268b
+            Set<String> allowedTrailerHeaders,
6f268b
+            int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
6f268b
+            String relaxedQueryChars) {
6f268b
 
6f268b
         super(endpoint);
6f268b
 
6f268b
-        inputBuffer = new InternalAprInputBuffer(request, headerBufferSize);
6f268b
+        httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
6f268b
+
6f268b
+        inputBuffer = new InternalAprInputBuffer(request, headerBufferSize, httpParser);
6f268b
         request.setInputBuffer(inputBuffer);
6f268b
 
6f268b
         outputBuffer = new InternalAprOutputBuffer(response, headerBufferSize);
6f268b
diff -up java/org/apache/coyote/http11/Http11AprProtocol.java.orig java/org/apache/coyote/http11/Http11AprProtocol.java
6f268b
--- java/org/apache/coyote/http11/Http11AprProtocol.java.orig	2019-03-05 12:14:08.097279988 -0500
6f268b
+++ java/org/apache/coyote/http11/Http11AprProtocol.java	2019-03-05 13:59:45.131631454 -0500
6f268b
@@ -301,7 +301,9 @@ public class Http11AprProtocol extends A
6f268b
             Http11AprProcessor processor = new Http11AprProcessor(
6f268b
                     proto.getMaxHttpHeaderSize(), (AprEndpoint)proto.endpoint,
6f268b
                     proto.getMaxTrailerSize(), proto.getAllowedTrailerHeadersAsSet(),
6f268b
-                    proto.getMaxExtensionSize(), proto.getMaxSwallowSize());
6f268b
+                    proto.getMaxExtensionSize(),
6f268b
+                    proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),
6f268b
+                    proto.getRelaxedQueryChars());
6f268b
             processor.setAdapter(proto.adapter);
6f268b
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
6f268b
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());
6f268b
diff -up java/org/apache/coyote/http11/Http11NioProcessor.java.orig java/org/apache/coyote/http11/Http11NioProcessor.java
6f268b
--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig	2019-03-05 12:13:47.033344985 -0500
6f268b
+++ java/org/apache/coyote/http11/Http11NioProcessor.java	2019-03-05 13:04:00.335042387 -0500
6f268b
@@ -31,6 +31,7 @@ import org.apache.coyote.http11.filters.
6f268b
 import org.apache.juli.logging.Log;
6f268b
 import org.apache.juli.logging.LogFactory;
6f268b
 import org.apache.tomcat.util.ExceptionUtils;
6f268b
+import org.apache.tomcat.util.http.parser.HttpParser;
6f268b
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
6f268b
 import org.apache.tomcat.util.net.NioChannel;
6f268b
 import org.apache.tomcat.util.net.NioEndpoint;
6f268b
@@ -66,11 +67,15 @@ public class Http11NioProcessor extends
6f268b
 
6f268b
 
6f268b
     public Http11NioProcessor(int maxHttpHeaderSize, NioEndpoint endpoint, int maxTrailerSize,
6f268b
-            Set<String> allowedTrailerHeaders, int maxExtensionSize, int maxSwallowSize) {
6f268b
+            Set<String> allowedTrailerHeaders,
6f268b
+            int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
6f268b
+            String relaxedQueryChars) {
6f268b
 
6f268b
         super(endpoint);
6f268b
 
6f268b
-        inputBuffer = new InternalNioInputBuffer(request, maxHttpHeaderSize);
6f268b
+        httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
6f268b
+
6f268b
+        inputBuffer = new InternalNioInputBuffer(request, maxHttpHeaderSize, httpParser);
6f268b
         request.setInputBuffer(inputBuffer);
6f268b
 
6f268b
         outputBuffer = new InternalNioOutputBuffer(response, maxHttpHeaderSize);
6f268b
diff -up java/org/apache/coyote/http11/Http11NioProtocol.java.orig java/org/apache/coyote/http11/Http11NioProtocol.java
6f268b
--- java/org/apache/coyote/http11/Http11NioProtocol.java.orig	2019-03-05 12:14:08.098279985 -0500
6f268b
+++ java/org/apache/coyote/http11/Http11NioProtocol.java	2019-03-05 14:00:15.034537932 -0500
6f268b
@@ -266,7 +266,9 @@ public class Http11NioProtocol extends A
6f268b
             Http11NioProcessor processor = new Http11NioProcessor(
6f268b
                     proto.getMaxHttpHeaderSize(), (NioEndpoint)proto.endpoint,
6f268b
                     proto.getMaxTrailerSize(), proto.getAllowedTrailerHeadersAsSet(),
6f268b
-                    proto.getMaxExtensionSize(), proto.getMaxSwallowSize());
6f268b
+                    proto.getMaxExtensionSize(),
6f268b
+                    proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),
6f268b
+                    proto.getRelaxedQueryChars());
6f268b
             processor.setAdapter(proto.adapter);
6f268b
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
6f268b
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());
6f268b
diff -up java/org/apache/coyote/http11/Http11Processor.java.orig java/org/apache/coyote/http11/Http11Processor.java
6f268b
--- java/org/apache/coyote/http11/Http11Processor.java.orig	2017-03-09 08:51:40.000000000 -0500
6f268b
+++ java/org/apache/coyote/http11/Http11Processor.java	2019-03-05 14:58:20.306295875 -0500
6f268b
@@ -26,6 +26,7 @@ import org.apache.coyote.ActionCode;
6f268b
 import org.apache.coyote.http11.filters.BufferedInputFilter;
6f268b
 import org.apache.juli.logging.Log;
6f268b
 import org.apache.juli.logging.LogFactory;
6f268b
+import org.apache.tomcat.util.http.parser.HttpParser;
6f268b
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
6f268b
 import org.apache.tomcat.util.net.JIoEndpoint;
6f268b
 import org.apache.tomcat.util.net.SSLSupport;
6f268b
@@ -51,11 +52,16 @@ public class Http11Processor extends Abs
6f268b
 
6f268b
 
6f268b
     public Http11Processor(int headerBufferSize, JIoEndpoint endpoint, int maxTrailerSize,
6f268b
-            Set<String> allowedTrailerHeaders, int maxExtensionSize, int maxSwallowSize) {
6f268b
+            Set<String> allowedTrailerHeaders,
6f268b
+            int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
6f268b
+            String relaxedQueryChars) {
6f268b
 
6f268b
         super(endpoint);
6f268b
+
6f268b
+        httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
6f268b
+
6f268b
+        inputBuffer = new InternalInputBuffer(request, headerBufferSize, httpParser);
6f268b
         
6f268b
-        inputBuffer = new InternalInputBuffer(request, headerBufferSize);
6f268b
         request.setInputBuffer(inputBuffer);
6f268b
 
6f268b
         outputBuffer = new InternalOutputBuffer(response, headerBufferSize);
6f268b
diff -up java/org/apache/coyote/http11/Http11Protocol.java.orig java/org/apache/coyote/http11/Http11Protocol.java
6f268b
--- java/org/apache/coyote/http11/Http11Protocol.java.orig	2019-03-05 12:14:08.099279982 -0500
6f268b
+++ java/org/apache/coyote/http11/Http11Protocol.java	2019-03-05 13:02:36.769301263 -0500
6f268b
@@ -165,7 +165,9 @@ public class Http11Protocol extends Abst
6f268b
             Http11Processor processor = new Http11Processor(
6f268b
                     proto.getMaxHttpHeaderSize(), (JIoEndpoint)proto.endpoint,
6f268b
                     proto.getMaxTrailerSize(), proto.getAllowedTrailerHeadersAsSet(),
6f268b
-                    proto.getMaxExtensionSize(), proto.getMaxSwallowSize());
6f268b
+                    proto.getMaxExtensionSize(),
6f268b
+                    proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),
6f268b
+                    proto.getRelaxedQueryChars());
6f268b
             processor.setAdapter(proto.adapter);
6f268b
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
6f268b
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());
6f268b
diff -up java/org/apache/coyote/http11/InternalAprInputBuffer.java.orig java/org/apache/coyote/http11/InternalAprInputBuffer.java
6f268b
--- java/org/apache/coyote/http11/InternalAprInputBuffer.java.orig	2017-03-09 08:51:40.000000000 -0500
6f268b
+++ java/org/apache/coyote/http11/InternalAprInputBuffer.java	2019-03-05 14:58:20.312295859 -0500
6f268b
@@ -51,7 +51,8 @@ public class InternalAprInputBuffer exte
6f268b
     /**
6f268b
      * Alternate constructor.
6f268b
      */
6f268b
-    public InternalAprInputBuffer(Request request, int headerBufferSize) {
6f268b
+    public InternalAprInputBuffer(Request request, int headerBufferSize,
6f268b
+            HttpParser httpParser) {
6f268b
 
6f268b
         this.request = request;
6f268b
         headers = request.getMimeHeaders();
6f268b
@@ -63,6 +64,8 @@ public class InternalAprInputBuffer exte
6f268b
             bbuf = ByteBuffer.allocateDirect((headerBufferSize / 1500 + 1) * 1500);
6f268b
         }
6f268b
 
6f268b
+        this.httpParser = httpParser;
6f268b
+
6f268b
         inputStreamInputBuffer = new SocketInputBuffer();
6f268b
 
6f268b
         filterLibrary = new InputFilter[0];
6f268b
@@ -231,7 +234,13 @@ public class InternalAprInputBuffer exte
6f268b
                 end = pos;
6f268b
             } else if ((buf[pos] == Constants.QUESTION) && (questionPos == -1)) {
6f268b
                 questionPos = pos;
6f268b
-            } else if (HttpParser.isNotRequestTarget(buf[pos])) {
6f268b
+            } else if (questionPos != -1 && !httpParser.isQueryRelaxed(buf[pos])) {
6f268b
+                // %nn decoding will be checked at the point of decoding
6f268b
+                throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
6f268b
+            } else if (httpParser.isNotRequestTargetRelaxed(buf[pos])) {
6f268b
+                // This is a general check that aims to catch problems early
6f268b
+                // Detailed checking of each part of the request target will
6f268b
+                // happen in AbstractHttp11Processor#prepareRequest()
6f268b
                 throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
6f268b
             }
6f268b
 
6f268b
diff -up java/org/apache/coyote/http11/InternalInputBuffer.java.orig java/org/apache/coyote/http11/InternalInputBuffer.java
6f268b
--- java/org/apache/coyote/http11/InternalInputBuffer.java.orig	2017-03-09 08:51:40.000000000 -0500
6f268b
+++ java/org/apache/coyote/http11/InternalInputBuffer.java	2019-03-05 14:58:21.215293426 -0500
6f268b
@@ -52,13 +52,16 @@ public class InternalInputBuffer extends
6f268b
     /**
6f268b
      * Default constructor.
6f268b
      */
6f268b
-    public InternalInputBuffer(Request request, int headerBufferSize) {
6f268b
+    public InternalInputBuffer(Request request, int headerBufferSize,
6f268b
+            HttpParser httpParser) {
6f268b
 
6f268b
         this.request = request;
6f268b
         headers = request.getMimeHeaders();
6f268b
 
6f268b
         buf = new byte[headerBufferSize];
6f268b
 
6f268b
+        this.httpParser = httpParser;
6f268b
+
6f268b
         inputStreamInputBuffer = new InputStreamInputBuffer();
6f268b
 
6f268b
         filterLibrary = new InputFilter[0];
6f268b
@@ -185,7 +188,13 @@ public class InternalInputBuffer extends
6f268b
                 end = pos;
6f268b
             } else if ((buf[pos] == Constants.QUESTION) && (questionPos == -1)) {
6f268b
                 questionPos = pos;
6f268b
-            } else if (HttpParser.isNotRequestTarget(buf[pos])) {
6f268b
+            } else if (questionPos != -1 && !httpParser.isQueryRelaxed(buf[pos])) {
6f268b
+                // %nn decoding will be checked at the point of decoding
6f268b
+                throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
6f268b
+            } else if (httpParser.isNotRequestTargetRelaxed(buf[pos])) {
6f268b
+                // This is a general check that aims to catch problems early
6f268b
+                // Detailed checking of each part of the request target will
6f268b
+                // happen in AbstractHttp11Processor#prepareRequest()
6f268b
                 throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
6f268b
             }
6f268b
 
6f268b
diff -up java/org/apache/coyote/http11/InternalNioInputBuffer.java.orig java/org/apache/coyote/http11/InternalNioInputBuffer.java
6f268b
--- java/org/apache/coyote/http11/InternalNioInputBuffer.java.orig	2017-03-09 08:51:40.000000000 -0500
6f268b
+++ java/org/apache/coyote/http11/InternalNioInputBuffer.java	2019-03-05 14:58:20.272295967 -0500
6f268b
@@ -98,12 +98,14 @@ public class InternalNioInputBuffer exte
6f268b
     /**
6f268b
      * Alternate constructor.
6f268b
      */
6f268b
-    public InternalNioInputBuffer(Request request, int headerBufferSize) {
6f268b
+    public InternalNioInputBuffer(Request request, int headerBufferSize,
6f268b
+            HttpParser httpParser) {
6f268b
 
6f268b
         this.request = request;
6f268b
         headers = request.getMimeHeaders();
6f268b
 
6f268b
         this.headerBufferSize = headerBufferSize;
6f268b
+        this.httpParser = httpParser;
6f268b
 
6f268b
         inputStreamInputBuffer = new SocketInputBuffer();
6f268b
 
6f268b
@@ -313,7 +315,13 @@ public class InternalNioInputBuffer exte
6f268b
                     end = pos;
6f268b
                 } else if ((buf[pos] == Constants.QUESTION) && (parsingRequestLineQPos == -1)) {
6f268b
                     parsingRequestLineQPos = pos;
6f268b
-                } else if (HttpParser.isNotRequestTarget(buf[pos])) {
6f268b
+                } else if (parsingRequestLineQPos != -1 && !httpParser.isQueryRelaxed(buf[pos])) {
6f268b
+                    // %nn decoding will be checked at the point of decoding
6f268b
+                    throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
6f268b
+                } else if (httpParser.isNotRequestTargetRelaxed(buf[pos])) {
6f268b
+                    // This is a general check that aims to catch problems early
6f268b
+                    // Detailed checking of each part of the request target will
6f268b
+                    // happen in AbstractHttp11Processor#prepareRequest()
6f268b
                     throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
6f268b
                 }
6f268b
                 pos++;
6f268b
diff -up java/org/apache/coyote/http11/LocalStrings.properties.orig java/org/apache/coyote/http11/LocalStrings.properties
6f268b
--- java/org/apache/coyote/http11/LocalStrings.properties.orig	2019-03-05 12:14:08.092280004 -0500
6f268b
+++ java/org/apache/coyote/http11/LocalStrings.properties	2019-03-05 12:23:45.474498387 -0500
6f268b
@@ -27,6 +27,9 @@ http11processor.filter.unknown=Unknown f
6f268b
 http11processor.filter.error=Error intializing filter {0}
6f268b
 http11processor.header.parse=Error parsing HTTP request header
6f268b
 http11processor.neverused=This method should never be used
6f268b
+http11processor.request.invalidScheme=The HTTP request contained an absolute URI with an invalid scheme
6f268b
+http11processor.request.invalidUri==The HTTP request contained an invalid URI
6f268b
+http11processor.request.invalidUserInfo=The HTTP request contained an absolute URI with an invalid userinfo
6f268b
 http11processor.request.prepare=Error preparing request
6f268b
 http11processor.request.process=Error processing request
6f268b
 http11processor.request.finish=Error finishing request
6f268b
diff -up java/org/apache/tomcat/util/buf/ByteChunk.java.orig java/org/apache/tomcat/util/buf/ByteChunk.java
6f268b
--- java/org/apache/tomcat/util/buf/ByteChunk.java.orig	2017-03-09 08:51:41.000000000 -0500
6f268b
+++ java/org/apache/tomcat/util/buf/ByteChunk.java	2019-03-05 12:16:53.404769901 -0500
6f268b
@@ -668,7 +668,8 @@ public final class ByteChunk implements
6f268b
     }
6f268b
 
6f268b
     /**
6f268b
-     * Returns true if the message bytes starts with the specified string.
6f268b
+     * Returns true if the buffer starts with the specified string when tested
6f268b
+     * in a case sensitive manner.
6f268b
      * @param s the string
6f268b
      * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
6f268b
      */
6f268b
@@ -717,6 +718,31 @@ public final class ByteChunk implements
6f268b
      * @param s the string
6f268b
      * @param pos The position
6f268b
      */
6f268b
+    public boolean startsWith(String s, int pos) {
6f268b
+        byte[] b = buff;
6f268b
+        int len = s.length();
6f268b
+        if (b == null || len + pos > end - start) {
6f268b
+            return false;
6f268b
+        }
6f268b
+        int off = start + pos;
6f268b
+        for (int i = 0; i < len; i++) {
6f268b
+            if (b[off++] != s.charAt(i)) {
6f268b
+                return false;
6f268b
+            }
6f268b
+        }
6f268b
+        return true;
6f268b
+    }
6f268b
+
6f268b
+
6f268b
+    /**
6f268b
+     * Returns true if the buffer starts with the specified string when tested
6f268b
+     * in a case insensitive manner.
6f268b
+     *
6f268b
+     * @param s the string
6f268b
+     * @param pos The position
6f268b
+     *
6f268b
+     * @return true if the start matches
6f268b
+     */
6f268b
     public boolean startsWithIgnoreCase(String s, int pos) {
6f268b
         byte[] b = buff;
6f268b
         int len = s.length();
6f268b
diff -up java/org/apache/tomcat/util/http/parser/HttpParser.java.orig java/org/apache/tomcat/util/http/parser/HttpParser.java
6f268b
--- java/org/apache/tomcat/util/http/parser/HttpParser.java.orig	2017-03-09 08:51:41.000000000 -0500
6f268b
+++ java/org/apache/tomcat/util/http/parser/HttpParser.java	2019-03-05 14:58:20.291295916 -0500
6f268b
@@ -67,9 +67,17 @@ public class HttpParser {
6f268b
     private static final boolean[] IS_SEPARATOR = new boolean[ARRAY_SIZE];
6f268b
     private static final boolean[] IS_TOKEN = new boolean[ARRAY_SIZE];
6f268b
     private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE];
6f268b
-    private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE];
6f268b
     private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE];
6f268b
+    private static final boolean[] IS_ALPHA = new boolean[ARRAY_SIZE];
6f268b
+    private static final boolean[] IS_NUMERIC = new boolean[ARRAY_SIZE];
6f268b
     private static final boolean[] REQUEST_TARGET_ALLOW = new boolean[ARRAY_SIZE];
6f268b
+    private static final boolean[] IS_UNRESERVED = new boolean[ARRAY_SIZE];
6f268b
+    private static final boolean[] IS_SUBDELIM = new boolean[ARRAY_SIZE];
6f268b
+    private static final boolean[] IS_USERINFO = new boolean[ARRAY_SIZE];
6f268b
+    private static final boolean[] IS_RELAXABLE = new boolean[ARRAY_SIZE];
6f268b
+
6f268b
+    private static final HttpParser DEFAULT;
6f268b
+
6f268b
 
6f268b
     static {
6f268b
         // Digest field types.
6f268b
@@ -91,19 +99,6 @@ public class HttpParser {
6f268b
         // RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted
6f268b
         fieldTypes.put("nc", FIELD_TYPE_LHEX);
6f268b
 
6f268b
-        String prop = System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow");
6f268b
-        if (prop != null) {
6f268b
-            for (int i = 0; i < prop.length(); i++) {
6f268b
-                char c = prop.charAt(i);
6f268b
-                if (c == '{' || c == '}' || c == '|') {
6f268b
-                    REQUEST_TARGET_ALLOW[c] = true;
6f268b
-                } else {
6f268b
-                    log.warn(sm.getString("httpparser.invalidRequestTargetCharacter",
6f268b
-                            Character.valueOf(c)));
6f268b
-                }
6f268b
-            }
6f268b
-        }
6f268b
-
6f268b
         for (int i = 0; i < ARRAY_SIZE; i++) {
6f268b
             // Control> 0-31, 127
6f268b
             if (i < 32 || i == 127) {
6f268b
@@ -128,6 +123,67 @@ public class HttpParser {
6f268b
                 IS_HEX[i] = true;
6f268b
             }
6f268b
 
6f268b
+            // Not valid for HTTP protocol
6f268b
+            // "HTTP/" DIGIT "." DIGIT
6f268b
+            if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i >= '0' && i <= '9')) {
6f268b
+                IS_HTTP_PROTOCOL[i] = true;
6f268b
+            }
6f268b
+
6f268b
+            if (i >= '0' && i <= '9') {
6f268b
+                IS_NUMERIC[i] = true;
6f268b
+            }
6f268b
+
6f268b
+            if (i >= 'a' && i <= 'z' || i >= 'A' && i <= 'Z') {
6f268b
+                IS_ALPHA[i] = true;
6f268b
+            }
6f268b
+
6f268b
+            if (IS_ALPHA[i] || IS_NUMERIC[i] || i == '-' || i == '.' || i == '_' || i == '~') {
6f268b
+                IS_UNRESERVED[i] = true;
6f268b
+            }
6f268b
+
6f268b
+            if (i == '!' || i == '$' || i == '&' || i == '\'' || i == '(' || i == ')' || i == '*' ||
6f268b
+                    i == '+' || i == ',' || i == ';' || i == '=') {
6f268b
+                IS_SUBDELIM[i] = true;
6f268b
+            }
6f268b
+
6f268b
+            // userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
6f268b
+            if (IS_UNRESERVED[i] || i == '%' || IS_SUBDELIM[i] || i == ':') {
6f268b
+                IS_USERINFO[i] = true;
6f268b
+            }
6f268b
+
6f268b
+            // The characters that are normally not permitted for which the
6f268b
+            // restrictions may be relaxed when used in the path and/or query
6f268b
+            // string
6f268b
+            if (i == '\"' || i == '<' || i == '>' || i == '[' || i == '\\' || i == ']' ||
6f268b
+                    i == '^' || i == '`'  || i == '{' || i == '|' || i == '}') {
6f268b
+                IS_RELAXABLE[i] = true;
6f268b
+            }
6f268b
+        }
6f268b
+
6f268b
+        String prop = System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow");
6f268b
+        if (prop != null) {
6f268b
+            for (int i = 0; i < prop.length(); i++) {
6f268b
+                char c = prop.charAt(i);
6f268b
+                if (c == '{' || c == '}' || c == '|') {
6f268b
+                    REQUEST_TARGET_ALLOW[c] = true;
6f268b
+                } else {
6f268b
+                    log.warn(sm.getString("http.invalidRequestTargetCharacter",
6f268b
+                            Character.valueOf(c)));
6f268b
+                }
6f268b
+            }
6f268b
+        }
6f268b
+
6f268b
+        DEFAULT = new HttpParser(null, null);
6f268b
+    }
6f268b
+
6f268b
+
6f268b
+    private final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE];
6f268b
+    private final boolean[] IS_ABSOLUTEPATH_RELAXED = new boolean[ARRAY_SIZE];
6f268b
+    private final boolean[] IS_QUERY_RELAXED = new boolean[ARRAY_SIZE];
6f268b
+
6f268b
+
6f268b
+    public HttpParser(String relaxedPathChars, String relaxedQueryChars) {
6f268b
+        for (int i = 0; i < ARRAY_SIZE; i++) {
6f268b
             // Not valid for request target.
6f268b
             // Combination of multiple rules from RFC7230 and RFC 3986. Must be
6f268b
             // ASCII, no controls plus a few additional characters excluded
6f268b
@@ -139,12 +195,29 @@ public class HttpParser {
6f268b
                 }
6f268b
             }
6f268b
 
6f268b
-            // Not valid for HTTP protocol
6f268b
-            // "HTTP/" DIGIT "." DIGIT
6f268b
-            if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i >= '0' && i <= '9')) {
6f268b
-                IS_HTTP_PROTOCOL[i] = true;
6f268b
+            /*
6f268b
+             * absolute-path  = 1*( "/" segment )
6f268b
+             * segment        = *pchar
6f268b
+             * pchar          = unreserved / pct-encoded / sub-delims / ":" / "@"
6f268b
+             *
6f268b
+             * Note pchar allows everything userinfo allows plus "@"
6f268b
+             */
6f268b
+            if (IS_USERINFO[i] || i == '@' || i == '/' || REQUEST_TARGET_ALLOW[i]) {
6f268b
+                IS_ABSOLUTEPATH_RELAXED[i] = true;
6f268b
+            }
6f268b
+
6f268b
+            /*
6f268b
+             * query          = *( pchar / "/" / "?" )
6f268b
+             *
6f268b
+             * Note query allows everything absolute-path allows plus "?"
6f268b
+             */
6f268b
+            if (IS_ABSOLUTEPATH_RELAXED[i] || i == '?' || REQUEST_TARGET_ALLOW[i]) {
6f268b
+                IS_QUERY_RELAXED[i] = true;
6f268b
             }
6f268b
         }
6f268b
+
6f268b
+        relax(IS_ABSOLUTEPATH_RELAXED, relaxedPathChars);
6f268b
+        relax(IS_QUERY_RELAXED, relaxedQueryChars);
6f268b
     }
6f268b
 
6f268b
     /**
6f268b
@@ -277,6 +350,39 @@ public class HttpParser {
6f268b
     }
6f268b
 
6f268b
 
6f268b
+    public boolean isNotRequestTargetRelaxed(int c) {
6f268b
+        // Fast for valid request target characters, slower for some incorrect
6f268b
+        // ones
6f268b
+        try {
6f268b
+            return IS_NOT_REQUEST_TARGET[c];
6f268b
+        } catch (ArrayIndexOutOfBoundsException ex) {
6f268b
+            return true;
6f268b
+        }
6f268b
+    }
6f268b
+
6f268b
+
6f268b
+    public boolean isAbsolutePathRelaxed(int c) {
6f268b
+        // Fast for valid user info characters, slower for some incorrect
6f268b
+        // ones
6f268b
+        try {
6f268b
+            return IS_ABSOLUTEPATH_RELAXED[c];
6f268b
+        } catch (ArrayIndexOutOfBoundsException ex) {
6f268b
+            return false;
6f268b
+        }
6f268b
+    }
6f268b
+
6f268b
+
6f268b
+    public boolean isQueryRelaxed(int c) {
6f268b
+        // Fast for valid user info characters, slower for some incorrect
6f268b
+        // ones
6f268b
+        try {
6f268b
+            return IS_QUERY_RELAXED[c];
6f268b
+        } catch (ArrayIndexOutOfBoundsException ex) {
6f268b
+            return false;
6f268b
+        }
6f268b
+    }
6f268b
+
6f268b
+
6f268b
     public static String unquote(String input) {
6f268b
         if (input == null || input.length() < 2) {
6f268b
             return input;
6f268b
@@ -329,27 +435,53 @@ public class HttpParser {
6f268b
 
6f268b
 
6f268b
     public static boolean isNotRequestTarget(int c) {
6f268b
-        // Fast for valid request target characters, slower for some incorrect
6f268b
+        return DEFAULT.isNotRequestTargetRelaxed(c);
6f268b
+    }
6f268b
+
6f268b
+
6f268b
+    public static boolean isHttpProtocol(int c) {
6f268b
+        // Fast for valid HTTP protocol characters, slower for some incorrect
6f268b
         // ones
6f268b
         try {
6f268b
-            return IS_NOT_REQUEST_TARGET[c];
6f268b
+            return IS_HTTP_PROTOCOL[c];
6f268b
         } catch (ArrayIndexOutOfBoundsException ex) {
6f268b
-            return true;
6f268b
+            return false;
6f268b
         }
6f268b
     }
6f268b
 
6f268b
 
6f268b
-    public static boolean isHttpProtocol(int c) {
6f268b
-        // Fast for valid HTTP protocol characters, slower for some incorrect
6f268b
+    public static boolean isUserInfo(int c) {
6f268b
+        // Fast for valid user info characters, slower for some incorrect
6f268b
         // ones
6f268b
         try {
6f268b
-            return IS_HTTP_PROTOCOL[c];
6f268b
+            return IS_USERINFO[c];
6f268b
+        } catch (ArrayIndexOutOfBoundsException ex) {
6f268b
+            return false;
6f268b
+        }
6f268b
+    }
6f268b
+
6f268b
+
6f268b
+    private static boolean isRelaxable(int c) {
6f268b
+        // Fast for valid user info characters, slower for some incorrect
6f268b
+        // ones
6f268b
+        try {
6f268b
+            return IS_RELAXABLE[c];
6f268b
         } catch (ArrayIndexOutOfBoundsException ex) {
6f268b
             return false;
6f268b
         }
6f268b
     }
6f268b
 
6f268b
 
6f268b
+    public static boolean isAbsolutePath(int c) {
6f268b
+        return DEFAULT.isAbsolutePathRelaxed(c);
6f268b
+    }
6f268b
+
6f268b
+
6f268b
+    public static boolean isQuery(int c) {
6f268b
+        return DEFAULT.isQueryRelaxed(c);
6f268b
+    }
6f268b
+
6f268b
+
6f268b
     // Skip any LWS and return the next char
6f268b
     private static int skipLws(StringReader input, boolean withReset)
6f268b
             throws IOException {
6f268b
@@ -579,6 +711,18 @@ public class HttpParser {
6f268b
         }
6f268b
     }
6f268b
 
6f268b
+    private void relax(boolean[] flags, String relaxedChars) {
6f268b
+        if (relaxedChars != null && relaxedChars.length() > 0) {
6f268b
+            char[] chars = relaxedChars.toCharArray();
6f268b
+            for (char c : chars) {
6f268b
+                if (isRelaxable(c)) {
6f268b
+                    flags[c] = true;
6f268b
+                    IS_NOT_REQUEST_TARGET[c] = false;
6f268b
+                }
6f268b
+            }
6f268b
+        }
6f268b
+    }
6f268b
+
6f268b
     private static enum SkipConstantResult {
6f268b
         FOUND,
6f268b
         NOT_FOUND,
6f268b
diff -up conf/catalina.properties.orig conf/catalina.properties
6f268b
--- conf/catalina.properties.orig	2019-03-05 12:13:51.934329862 -0500
6f268b
+++ conf/catalina.properties	2019-03-05 12:14:08.094279997 -0500
6f268b
@@ -132,6 +132,9 @@ tomcat.util.buf.StringCache.byte.enabled
6f268b
 #tomcat.util.buf.StringCache.trainThreshold=500000
6f268b
 #tomcat.util.buf.StringCache.cacheSize=5000
6f268b
 
6f268b
+# This system property is deprecated. Use the relaxedPathChars relaxedQueryChars
6f268b
+# attributes of the Connector instead. These attributes permit a wider range of
6f268b
+# characters to be configured as valid.
6f268b
 # Allow for changes to HTTP request validation
6f268b
-# WARNING: Using this option will expose the server to CVE-2016-6816
6f268b
+# WARNING: Using this option may expose the server to CVE-2016-6816
6f268b
 #tomcat.util.http.parser.HttpParser.requestTargetAllow=|
6f268b
diff -up webapps/docs/changelog.xml.orig webapps/docs/changelog.xml
6f268b
--- webapps/docs/changelog.xml.orig	2019-03-05 12:13:47.068344877 -0500
6f268b
+++ webapps/docs/changelog.xml	2019-03-05 12:14:08.103279970 -0500
6f268b
@@ -108,6 +108,12 @@
6f268b
         Improve handing of overflow in the UTF-8 decoder with supplementary
6f268b
         characters. (markt)
6f268b
       </fix>
6f268b
+      <add>
6f268b
+        <bug>62273</bug>: Implement configuration options to work-around
6f268b
+        specification non-compliant user agents (including all the major
6f268b
+        browsers) that do not correctly %nn encode URI paths and query strings
6f268b
+        as required by RFC 7230 and RFC 3986. (markt)
6f268b
+      </add>
6f268b
     </changelog>
6f268b
   </subsection>
6f268b
 </section>
6f268b
diff -up webapps/docs/config/http.xml.orig webapps/docs/config/http.xml
6f268b
--- webapps/docs/config/http.xml.orig	2017-03-09 08:51:43.000000000 -0500
6f268b
+++ webapps/docs/config/http.xml	2019-03-05 12:14:08.103279970 -0500
6f268b
@@ -516,6 +516,32 @@
6f268b
       expected concurrent requests (synchronous and asynchronous).

6f268b
     </attribute>
6f268b
 
6f268b
+    <attribute name="relaxedPathChars" required="false">
6f268b
+      

The HTTP/1.1

6f268b
+      specification requires that certain characters are %nn encoded when
6f268b
+      used in URI paths. Unfortunately, many user agents including all the major
6f268b
+      browsers are not compliant with this specification and use these
6f268b
+      characters in unencoded form. To prevent Tomcat rejecting such requests,
6f268b
+      this attribute may be used to specify the additional characters to allow.
6f268b
+      If not specified, no addtional characters will be allowed. The value may
6f268b
+      be any combination of the following characters:
6f268b
+      " < > [ \ ] ^ ` { | } . Any other characters
6f268b
+      present in the value will be ignored.

6f268b
+    </attribute>
6f268b
+
6f268b
+    <attribute name="relaxedQueryChars" required="false">
6f268b
+      

The HTTP/1.1

6f268b
+      specification requires that certain characters are %nn encoded when
6f268b
+      used in URI query strings. Unfortunately, many user agents including all
6f268b
+      the major browsers are not compliant with this specification and use these
6f268b
+      characters in unencoded form. To prevent Tomcat rejecting such requests,
6f268b
+      this attribute may be used to specify the additional characters to allow.
6f268b
+      If not specified, no addtional characters will be allowed. The value may
6f268b
+      be any combination of the following characters:
6f268b
+      " < > [ \ ] ^ ` { | } . Any other characters
6f268b
+      present in the value will be ignored.

6f268b
+    </attribute>
6f268b
+
6f268b
     <attribute name="restrictedUserAgents" required="false">
6f268b
       

The value is a regular expression (using java.util.regex)

6f268b
       matching the user-agent header of HTTP clients for which
6f268b
diff -up webapps/docs/config/systemprops.xml.orig webapps/docs/config/systemprops.xml
6f268b
--- webapps/docs/config/systemprops.xml.orig	2019-03-05 12:14:08.104279967 -0500
6f268b
+++ webapps/docs/config/systemprops.xml	2019-03-05 12:16:02.075928285 -0500
6f268b
@@ -709,11 +709,15 @@
6f268b
     </property>
6f268b
 
6f268b
     <property name="tomcat.util.http.parser.HttpParser.requestTargetAllow">
6f268b
+      

This system property is deprecated. Use the

6f268b
+      relaxedPathChars and relaxedQueryChars
6f268b
+      attributes of the Connector instead. These attributes permit a wider range
6f268b
+      of characters to be configured as valid.

6f268b
       

A string comprised of characters the server should allow even when they are not encoded.

6f268b
       These characters would normally result in a 400 status.

6f268b
       

The acceptable characters for this property are: |, {

6f268b
       , and }

6f268b
-      

WARNING: Use of this option will expose the server to CVE-2016-6816.

6f268b
+      

WARNING: Use of this option may expose the server to CVE-2016-6816.

6f268b
       

6f268b
       

If not specified, the default value of null will be used.

6f268b
     </property>
6f268b
diff -up test/org/apache/catalina/core/TestApplicationContext.java.orig test/org/apache/catalina/core/TestApplicationContext.java
6f268b
--- test/org/apache/catalina/core/TestApplicationContext.java.orig	2019-03-05 12:13:51.981329717 -0500
6f268b
+++ test/org/apache/catalina/core/TestApplicationContext.java	2019-03-05 12:14:08.094279997 -0500
6f268b
@@ -77,7 +77,7 @@ public class TestApplicationContext exte
6f268b
 
6f268b
         ByteChunk res = new ByteChunk();
6f268b
         int rc = getUrl("http://localhost:" + getPort() +
6f268b
-                "/test/bug5nnnn/bug53467].jsp", res, null);
6f268b
+                "/test/bug5nnnn/bug53467%5D.jsp", res, null);
6f268b
 
6f268b
         Assert.assertEquals(HttpServletResponse.SC_OK, rc);
6f268b
         Assert.assertTrue(res.toString().contains("

OK

"));