Blame SOURCES/tomcat-7.0.76-rhbz-1455483.patch

9a9096
diff -up java/org/apache/coyote/http11/AbstractHttp11Processor.java.orig java/org/apache/coyote/http11/AbstractHttp11Processor.java
9a9096
--- java/org/apache/coyote/http11/AbstractHttp11Processor.java.orig	2017-03-09 08:51:40.000000000 -0500
9a9096
+++ java/org/apache/coyote/http11/AbstractHttp11Processor.java	2019-03-05 14:58:20.285295932 -0500
9a9096
@@ -48,6 +48,7 @@ import org.apache.tomcat.util.buf.HexUti
9a9096
 import org.apache.tomcat.util.buf.MessageBytes;
9a9096
 import org.apache.tomcat.util.http.FastHttpDateFormat;
9a9096
 import org.apache.tomcat.util.http.MimeHeaders;
9a9096
+import org.apache.tomcat.util.http.parser.HttpParser;
9a9096
 import org.apache.tomcat.util.log.UserDataHelper;
9a9096
 import org.apache.tomcat.util.net.AbstractEndpoint;
9a9096
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
9a9096
@@ -262,6 +263,9 @@ public abstract class AbstractHttp11Proc
9a9096
     protected org.apache.coyote.http11.upgrade.UpgradeInbound upgradeInbound = null;
9a9096
 
9a9096
 
9a9096
+    protected HttpParser httpParser;
9a9096
+
9a9096
+
9a9096
     /**
9a9096
      * Instance of the new protocol to use after the HTTP connection has been
9a9096
      * upgraded using the Servlet 3.1 based upgrade process.
9a9096
@@ -1301,33 +1305,62 @@ public abstract class AbstractHttp11Proc
9a9096
             }
9a9096
         }
9a9096
 
9a9096
-        // Check for a full URI (including protocol://host:port/)
9a9096
+        // Check for an absolute-URI less the query string which has already
9a9096
+        // been removed during the parsing of the request line
9a9096
         ByteChunk uriBC = request.requestURI().getByteChunk();
9a9096
+        byte[] uriB = uriBC.getBytes();
9a9096
         if (uriBC.startsWithIgnoreCase("http", 0)) {
9a9096
 
9a9096
-            int pos = uriBC.indexOf("://", 0, 3, 4);
9a9096
-            int uriBCStart = uriBC.getStart();
9a9096
-            int slashPos = -1;
9a9096
-            if (pos != -1) {
9a9096
-                byte[] uriB = uriBC.getBytes();
9a9096
-                slashPos = uriBC.indexOf('/', pos + 3);
9a9096
+            int pos = 4;
9a9096
+            // Check for https
9a9096
+            if (uriBC.startsWithIgnoreCase("s", pos)) {
9a9096
+                pos++;
9a9096
+            }
9a9096
+            // Next 3 characters must be "://"
9a9096
+            if (uriBC.startsWith("://", pos)) {
9a9096
+                int uriBCStart = uriBC.getStart();
9a9096
+
9a9096
+                // '/' does not appear in the authority so use the first
9a9096
+                // instance to split the authority and the path segments
9a9096
+                int slashPos = uriBC.indexOf('/', pos);
9a9096
+                // '@' in the authority delimits the userinfo
9a9096
+
9a9096
                 if (slashPos == -1) {
9a9096
                     slashPos = uriBC.getLength();
9a9096
-                    // Set URI as "/"
9a9096
-                    request.requestURI().setBytes
9a9096
-                        (uriB, uriBCStart + pos + 1, 1);
9a9096
+                    // Set URI as "/". Use 6 as it will always be a '/'.
9a9096
+                    // 01234567
9a9096
+                    // http://
9a9096
+                    // https://
9a9096
+                    request.requestURI().setBytes(uriB, uriBCStart + 6, 1);
9a9096
                 } else {
9a9096
-                    request.requestURI().setBytes
9a9096
-                        (uriB, uriBCStart + slashPos,
9a9096
-                         uriBC.getLength() - slashPos);
9a9096
+                    request.requestURI().setBytes(uriB, uriBCStart + slashPos, uriBC.getLength() - slashPos);
9a9096
                 }
9a9096
                 MessageBytes hostMB = headers.setValue("host");
9a9096
                 hostMB.setBytes(uriB, uriBCStart + pos + 3,
9a9096
                                 slashPos - pos - 3);
9a9096
+            } else {
9a9096
+                response.setStatus(400);
9a9096
+                setErrorState(ErrorState.CLOSE_CLEAN, null);
9a9096
+                if (getLog().isDebugEnabled()) {
9a9096
+                    getLog().debug(sm.getString("http11processor.request.invalidScheme"));
9a9096
+                }
9a9096
             }
9a9096
 
9a9096
         }
9a9096
 
9a9096
+        // Validate the characters in the URI. %nn decoding will be checked at
9a9096
+        // the point of decoding.
9a9096
+        for (int i = uriBC.getStart(); i < uriBC.getEnd(); i++) {
9a9096
+            if (!httpParser.isAbsolutePathRelaxed(uriB[i])) {
9a9096
+                response.setStatus(400);
9a9096
+                setErrorState(ErrorState.CLOSE_CLEAN, null);
9a9096
+                if (getLog().isDebugEnabled()) {
9a9096
+                    getLog().debug(sm.getString("http11processor.request.invalidUri"));
9a9096
+                }
9a9096
+                break;
9a9096
+            }
9a9096
+        }
9a9096
+
9a9096
         // Input filter setup
9a9096
         InputFilter[] inputFilters = getInputBuffer().getFilters();
9a9096
 
9a9096
@@ -1364,8 +1397,7 @@ public abstract class AbstractHttp11Proc
9a9096
                 headers.removeHeader("content-length");
9a9096
                 request.setContentLength(-1);
9a9096
             } else {
9a9096
-                getInputBuffer().addActiveFilter
9a9096
-                        (inputFilters[Constants.IDENTITY_FILTER]);
9a9096
+                getInputBuffer().addActiveFilter(inputFilters[Constants.IDENTITY_FILTER]);
9a9096
                 contentDelimitation = true;
9a9096
             }
9a9096
         }
9a9096
@@ -1383,14 +1415,14 @@ public abstract class AbstractHttp11Proc
9a9096
             }
9a9096
         }
9a9096
 
9a9096
+        // Validate host name and extract port if present
9a9096
         parseHost(valueMB);
9a9096
 
9a9096
         if (!contentDelimitation) {
9a9096
             // If there's no content length
9a9096
             // (broken HTTP/1.0 or HTTP/1.1), assume
9a9096
             // the client is not broken and didn't send a body
9a9096
-            getInputBuffer().addActiveFilter
9a9096
-                    (inputFilters[Constants.VOID_FILTER]);
9a9096
+            getInputBuffer().addActiveFilter(inputFilters[Constants.VOID_FILTER]);
9a9096
             contentDelimitation = true;
9a9096
         }
9a9096
 
9a9096
diff -up java/org/apache/coyote/http11/AbstractHttp11Protocol.java.orig java/org/apache/coyote/http11/AbstractHttp11Protocol.java
9a9096
--- java/org/apache/coyote/http11/AbstractHttp11Protocol.java.orig	2019-03-05 12:14:08.096279991 -0500
9a9096
+++ java/org/apache/coyote/http11/AbstractHttp11Protocol.java	2019-03-05 14:03:32.186921274 -0500
9a9096
@@ -45,6 +45,23 @@ public abstract class AbstractHttp11Prot
9a9096
     // ------------------------------------------------ HTTP specific properties
9a9096
     // ------------------------------------------ managed in the ProtocolHandler
9a9096
 
9a9096
+    private String relaxedPathChars = null;
9a9096
+    public String getRelaxedPathChars() {
9a9096
+        return relaxedPathChars;
9a9096
+    }
9a9096
+    public void setRelaxedPathChars(String relaxedPathChars) {
9a9096
+        this.relaxedPathChars = relaxedPathChars;
9a9096
+    }
9a9096
+
9a9096
+
9a9096
+    private String relaxedQueryChars = null;
9a9096
+    public String getRelaxedQueryChars() {
9a9096
+        return relaxedQueryChars;
9a9096
+    }
9a9096
+    public void setRelaxedQueryChars(String relaxedQueryChars) {
9a9096
+        this.relaxedQueryChars = relaxedQueryChars;
9a9096
+    }
9a9096
+
9a9096
     private int socketBuffer = 9000;
9a9096
     public int getSocketBuffer() { return socketBuffer; }
9a9096
     public void setSocketBuffer(int socketBuffer) {
9a9096
diff -up java/org/apache/coyote/http11/AbstractInputBuffer.java.orig java/org/apache/coyote/http11/AbstractInputBuffer.java
9a9096
--- java/org/apache/coyote/http11/AbstractInputBuffer.java.orig	2017-03-09 08:51:40.000000000 -0500
9a9096
+++ java/org/apache/coyote/http11/AbstractInputBuffer.java	2019-03-05 12:14:08.096279991 -0500
9a9096
@@ -22,6 +22,7 @@ import org.apache.coyote.InputBuffer;
9a9096
 import org.apache.coyote.Request;
9a9096
 import org.apache.tomcat.util.buf.ByteChunk;
9a9096
 import org.apache.tomcat.util.http.MimeHeaders;
9a9096
+import org.apache.tomcat.util.http.parser.HttpParser;
9a9096
 import org.apache.tomcat.util.net.AbstractEndpoint;
9a9096
 import org.apache.tomcat.util.net.SocketWrapper;
9a9096
 import org.apache.tomcat.util.res.StringManager;
9a9096
@@ -108,6 +109,9 @@ public abstract class AbstractInputBuffe
9a9096
     protected int lastActiveFilter;
9a9096
 
9a9096
 
9a9096
+    protected HttpParser httpParser;
9a9096
+
9a9096
+
9a9096
     // ------------------------------------------------------------- Properties
9a9096
 
9a9096
 
9a9096
diff -up java/org/apache/coyote/http11/Http11AprProcessor.java.orig java/org/apache/coyote/http11/Http11AprProcessor.java
9a9096
--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig	2019-03-05 12:13:47.032344988 -0500
9a9096
+++ java/org/apache/coyote/http11/Http11AprProcessor.java	2019-03-05 14:58:20.298295897 -0500
9a9096
@@ -35,6 +35,7 @@ import org.apache.tomcat.jni.SSLSocket;
9a9096
 import org.apache.tomcat.jni.Sockaddr;
9a9096
 import org.apache.tomcat.jni.Socket;
9a9096
 import org.apache.tomcat.util.ExceptionUtils;
9a9096
+import org.apache.tomcat.util.http.parser.HttpParser;
9a9096
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
9a9096
 import org.apache.tomcat.util.net.AprEndpoint;
9a9096
 import org.apache.tomcat.util.net.SSLSupport;
9a9096
@@ -61,11 +62,15 @@ public class Http11AprProcessor extends
9a9096
 
9a9096
 
9a9096
     public Http11AprProcessor(int headerBufferSize, AprEndpoint endpoint, int maxTrailerSize,
9a9096
-            Set<String> allowedTrailerHeaders, int maxExtensionSize, int maxSwallowSize) {
9a9096
+            Set<String> allowedTrailerHeaders,
9a9096
+            int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
9a9096
+            String relaxedQueryChars) {
9a9096
 
9a9096
         super(endpoint);
9a9096
 
9a9096
-        inputBuffer = new InternalAprInputBuffer(request, headerBufferSize);
9a9096
+        httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
9a9096
+
9a9096
+        inputBuffer = new InternalAprInputBuffer(request, headerBufferSize, httpParser);
9a9096
         request.setInputBuffer(inputBuffer);
9a9096
 
9a9096
         outputBuffer = new InternalAprOutputBuffer(response, headerBufferSize);
9a9096
diff -up java/org/apache/coyote/http11/Http11AprProtocol.java.orig java/org/apache/coyote/http11/Http11AprProtocol.java
9a9096
--- java/org/apache/coyote/http11/Http11AprProtocol.java.orig	2019-03-05 12:14:08.097279988 -0500
9a9096
+++ java/org/apache/coyote/http11/Http11AprProtocol.java	2019-03-05 13:59:45.131631454 -0500
9a9096
@@ -301,7 +301,9 @@ public class Http11AprProtocol extends A
9a9096
             Http11AprProcessor processor = new Http11AprProcessor(
9a9096
                     proto.getMaxHttpHeaderSize(), (AprEndpoint)proto.endpoint,
9a9096
                     proto.getMaxTrailerSize(), proto.getAllowedTrailerHeadersAsSet(),
9a9096
-                    proto.getMaxExtensionSize(), proto.getMaxSwallowSize());
9a9096
+                    proto.getMaxExtensionSize(),
9a9096
+                    proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),
9a9096
+                    proto.getRelaxedQueryChars());
9a9096
             processor.setAdapter(proto.adapter);
9a9096
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
9a9096
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());
9a9096
diff -up java/org/apache/coyote/http11/Http11NioProcessor.java.orig java/org/apache/coyote/http11/Http11NioProcessor.java
9a9096
--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig	2019-03-05 12:13:47.033344985 -0500
9a9096
+++ java/org/apache/coyote/http11/Http11NioProcessor.java	2019-03-05 13:04:00.335042387 -0500
9a9096
@@ -31,6 +31,7 @@ import org.apache.coyote.http11.filters.
9a9096
 import org.apache.juli.logging.Log;
9a9096
 import org.apache.juli.logging.LogFactory;
9a9096
 import org.apache.tomcat.util.ExceptionUtils;
9a9096
+import org.apache.tomcat.util.http.parser.HttpParser;
9a9096
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
9a9096
 import org.apache.tomcat.util.net.NioChannel;
9a9096
 import org.apache.tomcat.util.net.NioEndpoint;
9a9096
@@ -66,11 +67,15 @@ public class Http11NioProcessor extends
9a9096
 
9a9096
 
9a9096
     public Http11NioProcessor(int maxHttpHeaderSize, NioEndpoint endpoint, int maxTrailerSize,
9a9096
-            Set<String> allowedTrailerHeaders, int maxExtensionSize, int maxSwallowSize) {
9a9096
+            Set<String> allowedTrailerHeaders,
9a9096
+            int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
9a9096
+            String relaxedQueryChars) {
9a9096
 
9a9096
         super(endpoint);
9a9096
 
9a9096
-        inputBuffer = new InternalNioInputBuffer(request, maxHttpHeaderSize);
9a9096
+        httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
9a9096
+
9a9096
+        inputBuffer = new InternalNioInputBuffer(request, maxHttpHeaderSize, httpParser);
9a9096
         request.setInputBuffer(inputBuffer);
9a9096
 
9a9096
         outputBuffer = new InternalNioOutputBuffer(response, maxHttpHeaderSize);
9a9096
diff -up java/org/apache/coyote/http11/Http11NioProtocol.java.orig java/org/apache/coyote/http11/Http11NioProtocol.java
9a9096
--- java/org/apache/coyote/http11/Http11NioProtocol.java.orig	2019-03-05 12:14:08.098279985 -0500
9a9096
+++ java/org/apache/coyote/http11/Http11NioProtocol.java	2019-03-05 14:00:15.034537932 -0500
9a9096
@@ -266,7 +266,9 @@ public class Http11NioProtocol extends A
9a9096
             Http11NioProcessor processor = new Http11NioProcessor(
9a9096
                     proto.getMaxHttpHeaderSize(), (NioEndpoint)proto.endpoint,
9a9096
                     proto.getMaxTrailerSize(), proto.getAllowedTrailerHeadersAsSet(),
9a9096
-                    proto.getMaxExtensionSize(), proto.getMaxSwallowSize());
9a9096
+                    proto.getMaxExtensionSize(),
9a9096
+                    proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),
9a9096
+                    proto.getRelaxedQueryChars());
9a9096
             processor.setAdapter(proto.adapter);
9a9096
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
9a9096
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());
9a9096
diff -up java/org/apache/coyote/http11/Http11Processor.java.orig java/org/apache/coyote/http11/Http11Processor.java
9a9096
--- java/org/apache/coyote/http11/Http11Processor.java.orig	2017-03-09 08:51:40.000000000 -0500
9a9096
+++ java/org/apache/coyote/http11/Http11Processor.java	2019-03-05 14:58:20.306295875 -0500
9a9096
@@ -26,6 +26,7 @@ import org.apache.coyote.ActionCode;
9a9096
 import org.apache.coyote.http11.filters.BufferedInputFilter;
9a9096
 import org.apache.juli.logging.Log;
9a9096
 import org.apache.juli.logging.LogFactory;
9a9096
+import org.apache.tomcat.util.http.parser.HttpParser;
9a9096
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
9a9096
 import org.apache.tomcat.util.net.JIoEndpoint;
9a9096
 import org.apache.tomcat.util.net.SSLSupport;
9a9096
@@ -51,11 +52,16 @@ public class Http11Processor extends Abs
9a9096
 
9a9096
 
9a9096
     public Http11Processor(int headerBufferSize, JIoEndpoint endpoint, int maxTrailerSize,
9a9096
-            Set<String> allowedTrailerHeaders, int maxExtensionSize, int maxSwallowSize) {
9a9096
+            Set<String> allowedTrailerHeaders,
9a9096
+            int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
9a9096
+            String relaxedQueryChars) {
9a9096
 
9a9096
         super(endpoint);
9a9096
+
9a9096
+        httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
9a9096
+
9a9096
+        inputBuffer = new InternalInputBuffer(request, headerBufferSize, httpParser);
9a9096
         
9a9096
-        inputBuffer = new InternalInputBuffer(request, headerBufferSize);
9a9096
         request.setInputBuffer(inputBuffer);
9a9096
 
9a9096
         outputBuffer = new InternalOutputBuffer(response, headerBufferSize);
9a9096
diff -up java/org/apache/coyote/http11/Http11Protocol.java.orig java/org/apache/coyote/http11/Http11Protocol.java
9a9096
--- java/org/apache/coyote/http11/Http11Protocol.java.orig	2019-03-05 12:14:08.099279982 -0500
9a9096
+++ java/org/apache/coyote/http11/Http11Protocol.java	2019-03-05 13:02:36.769301263 -0500
9a9096
@@ -165,7 +165,9 @@ public class Http11Protocol extends Abst
9a9096
             Http11Processor processor = new Http11Processor(
9a9096
                     proto.getMaxHttpHeaderSize(), (JIoEndpoint)proto.endpoint,
9a9096
                     proto.getMaxTrailerSize(), proto.getAllowedTrailerHeadersAsSet(),
9a9096
-                    proto.getMaxExtensionSize(), proto.getMaxSwallowSize());
9a9096
+                    proto.getMaxExtensionSize(),
9a9096
+                    proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),
9a9096
+                    proto.getRelaxedQueryChars());
9a9096
             processor.setAdapter(proto.adapter);
9a9096
             processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests());
9a9096
             processor.setKeepAliveTimeout(proto.getKeepAliveTimeout());
9a9096
diff -up java/org/apache/coyote/http11/InternalAprInputBuffer.java.orig java/org/apache/coyote/http11/InternalAprInputBuffer.java
9a9096
--- java/org/apache/coyote/http11/InternalAprInputBuffer.java.orig	2017-03-09 08:51:40.000000000 -0500
9a9096
+++ java/org/apache/coyote/http11/InternalAprInputBuffer.java	2019-03-05 14:58:20.312295859 -0500
9a9096
@@ -51,7 +51,8 @@ public class InternalAprInputBuffer exte
9a9096
     /**
9a9096
      * Alternate constructor.
9a9096
      */
9a9096
-    public InternalAprInputBuffer(Request request, int headerBufferSize) {
9a9096
+    public InternalAprInputBuffer(Request request, int headerBufferSize,
9a9096
+            HttpParser httpParser) {
9a9096
 
9a9096
         this.request = request;
9a9096
         headers = request.getMimeHeaders();
9a9096
@@ -63,6 +64,8 @@ public class InternalAprInputBuffer exte
9a9096
             bbuf = ByteBuffer.allocateDirect((headerBufferSize / 1500 + 1) * 1500);
9a9096
         }
9a9096
 
9a9096
+        this.httpParser = httpParser;
9a9096
+
9a9096
         inputStreamInputBuffer = new SocketInputBuffer();
9a9096
 
9a9096
         filterLibrary = new InputFilter[0];
9a9096
@@ -231,7 +234,13 @@ public class InternalAprInputBuffer exte
9a9096
                 end = pos;
9a9096
             } else if ((buf[pos] == Constants.QUESTION) && (questionPos == -1)) {
9a9096
                 questionPos = pos;
9a9096
-            } else if (HttpParser.isNotRequestTarget(buf[pos])) {
9a9096
+            } else if (questionPos != -1 && !httpParser.isQueryRelaxed(buf[pos])) {
9a9096
+                // %nn decoding will be checked at the point of decoding
9a9096
+                throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
9a9096
+            } else if (httpParser.isNotRequestTargetRelaxed(buf[pos])) {
9a9096
+                // This is a general check that aims to catch problems early
9a9096
+                // Detailed checking of each part of the request target will
9a9096
+                // happen in AbstractHttp11Processor#prepareRequest()
9a9096
                 throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
9a9096
             }
9a9096
 
9a9096
diff -up java/org/apache/coyote/http11/InternalInputBuffer.java.orig java/org/apache/coyote/http11/InternalInputBuffer.java
9a9096
--- java/org/apache/coyote/http11/InternalInputBuffer.java.orig	2017-03-09 08:51:40.000000000 -0500
9a9096
+++ java/org/apache/coyote/http11/InternalInputBuffer.java	2019-03-05 14:58:21.215293426 -0500
9a9096
@@ -52,13 +52,16 @@ public class InternalInputBuffer extends
9a9096
     /**
9a9096
      * Default constructor.
9a9096
      */
9a9096
-    public InternalInputBuffer(Request request, int headerBufferSize) {
9a9096
+    public InternalInputBuffer(Request request, int headerBufferSize,
9a9096
+            HttpParser httpParser) {
9a9096
 
9a9096
         this.request = request;
9a9096
         headers = request.getMimeHeaders();
9a9096
 
9a9096
         buf = new byte[headerBufferSize];
9a9096
 
9a9096
+        this.httpParser = httpParser;
9a9096
+
9a9096
         inputStreamInputBuffer = new InputStreamInputBuffer();
9a9096
 
9a9096
         filterLibrary = new InputFilter[0];
9a9096
@@ -185,7 +188,13 @@ public class InternalInputBuffer extends
9a9096
                 end = pos;
9a9096
             } else if ((buf[pos] == Constants.QUESTION) && (questionPos == -1)) {
9a9096
                 questionPos = pos;
9a9096
-            } else if (HttpParser.isNotRequestTarget(buf[pos])) {
9a9096
+            } else if (questionPos != -1 && !httpParser.isQueryRelaxed(buf[pos])) {
9a9096
+                // %nn decoding will be checked at the point of decoding
9a9096
+                throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
9a9096
+            } else if (httpParser.isNotRequestTargetRelaxed(buf[pos])) {
9a9096
+                // This is a general check that aims to catch problems early
9a9096
+                // Detailed checking of each part of the request target will
9a9096
+                // happen in AbstractHttp11Processor#prepareRequest()
9a9096
                 throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
9a9096
             }
9a9096
 
9a9096
diff -up java/org/apache/coyote/http11/InternalNioInputBuffer.java.orig java/org/apache/coyote/http11/InternalNioInputBuffer.java
9a9096
--- java/org/apache/coyote/http11/InternalNioInputBuffer.java.orig	2017-03-09 08:51:40.000000000 -0500
9a9096
+++ java/org/apache/coyote/http11/InternalNioInputBuffer.java	2019-03-05 14:58:20.272295967 -0500
9a9096
@@ -98,12 +98,14 @@ public class InternalNioInputBuffer exte
9a9096
     /**
9a9096
      * Alternate constructor.
9a9096
      */
9a9096
-    public InternalNioInputBuffer(Request request, int headerBufferSize) {
9a9096
+    public InternalNioInputBuffer(Request request, int headerBufferSize,
9a9096
+            HttpParser httpParser) {
9a9096
 
9a9096
         this.request = request;
9a9096
         headers = request.getMimeHeaders();
9a9096
 
9a9096
         this.headerBufferSize = headerBufferSize;
9a9096
+        this.httpParser = httpParser;
9a9096
 
9a9096
         inputStreamInputBuffer = new SocketInputBuffer();
9a9096
 
9a9096
@@ -313,7 +315,13 @@ public class InternalNioInputBuffer exte
9a9096
                     end = pos;
9a9096
                 } else if ((buf[pos] == Constants.QUESTION) && (parsingRequestLineQPos == -1)) {
9a9096
                     parsingRequestLineQPos = pos;
9a9096
-                } else if (HttpParser.isNotRequestTarget(buf[pos])) {
9a9096
+                } else if (parsingRequestLineQPos != -1 && !httpParser.isQueryRelaxed(buf[pos])) {
9a9096
+                    // %nn decoding will be checked at the point of decoding
9a9096
+                    throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
9a9096
+                } else if (httpParser.isNotRequestTargetRelaxed(buf[pos])) {
9a9096
+                    // This is a general check that aims to catch problems early
9a9096
+                    // Detailed checking of each part of the request target will
9a9096
+                    // happen in AbstractHttp11Processor#prepareRequest()
9a9096
                     throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
9a9096
                 }
9a9096
                 pos++;
9a9096
diff -up java/org/apache/coyote/http11/LocalStrings.properties.orig java/org/apache/coyote/http11/LocalStrings.properties
9a9096
--- java/org/apache/coyote/http11/LocalStrings.properties.orig	2019-03-05 12:14:08.092280004 -0500
9a9096
+++ java/org/apache/coyote/http11/LocalStrings.properties	2019-03-05 12:23:45.474498387 -0500
9a9096
@@ -27,6 +27,9 @@ http11processor.filter.unknown=Unknown f
9a9096
 http11processor.filter.error=Error intializing filter {0}
9a9096
 http11processor.header.parse=Error parsing HTTP request header
9a9096
 http11processor.neverused=This method should never be used
9a9096
+http11processor.request.invalidScheme=The HTTP request contained an absolute URI with an invalid scheme
9a9096
+http11processor.request.invalidUri==The HTTP request contained an invalid URI
9a9096
+http11processor.request.invalidUserInfo=The HTTP request contained an absolute URI with an invalid userinfo
9a9096
 http11processor.request.prepare=Error preparing request
9a9096
 http11processor.request.process=Error processing request
9a9096
 http11processor.request.finish=Error finishing request
9a9096
diff -up java/org/apache/tomcat/util/buf/ByteChunk.java.orig java/org/apache/tomcat/util/buf/ByteChunk.java
9a9096
--- java/org/apache/tomcat/util/buf/ByteChunk.java.orig	2017-03-09 08:51:41.000000000 -0500
9a9096
+++ java/org/apache/tomcat/util/buf/ByteChunk.java	2019-03-05 12:16:53.404769901 -0500
9a9096
@@ -668,7 +668,8 @@ public final class ByteChunk implements
9a9096
     }
9a9096
 
9a9096
     /**
9a9096
-     * Returns true if the message bytes starts with the specified string.
9a9096
+     * Returns true if the buffer starts with the specified string when tested
9a9096
+     * in a case sensitive manner.
9a9096
      * @param s the string
9a9096
      * @deprecated Unused. Will be removed in Tomcat 8.0.x onwards.
9a9096
      */
9a9096
@@ -717,6 +718,31 @@ public final class ByteChunk implements
9a9096
      * @param s the string
9a9096
      * @param pos The position
9a9096
      */
9a9096
+    public boolean startsWith(String s, int pos) {
9a9096
+        byte[] b = buff;
9a9096
+        int len = s.length();
9a9096
+        if (b == null || len + pos > end - start) {
9a9096
+            return false;
9a9096
+        }
9a9096
+        int off = start + pos;
9a9096
+        for (int i = 0; i < len; i++) {
9a9096
+            if (b[off++] != s.charAt(i)) {
9a9096
+                return false;
9a9096
+            }
9a9096
+        }
9a9096
+        return true;
9a9096
+    }
9a9096
+
9a9096
+
9a9096
+    /**
9a9096
+     * Returns true if the buffer starts with the specified string when tested
9a9096
+     * in a case insensitive manner.
9a9096
+     *
9a9096
+     * @param s the string
9a9096
+     * @param pos The position
9a9096
+     *
9a9096
+     * @return true if the start matches
9a9096
+     */
9a9096
     public boolean startsWithIgnoreCase(String s, int pos) {
9a9096
         byte[] b = buff;
9a9096
         int len = s.length();
9a9096
diff -up java/org/apache/tomcat/util/http/parser/HttpParser.java.orig java/org/apache/tomcat/util/http/parser/HttpParser.java
9a9096
--- java/org/apache/tomcat/util/http/parser/HttpParser.java.orig	2017-03-09 08:51:41.000000000 -0500
9a9096
+++ java/org/apache/tomcat/util/http/parser/HttpParser.java	2019-03-05 14:58:20.291295916 -0500
9a9096
@@ -67,9 +67,17 @@ public class HttpParser {
9a9096
     private static final boolean[] IS_SEPARATOR = new boolean[ARRAY_SIZE];
9a9096
     private static final boolean[] IS_TOKEN = new boolean[ARRAY_SIZE];
9a9096
     private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE];
9a9096
-    private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE];
9a9096
     private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE];
9a9096
+    private static final boolean[] IS_ALPHA = new boolean[ARRAY_SIZE];
9a9096
+    private static final boolean[] IS_NUMERIC = new boolean[ARRAY_SIZE];
9a9096
     private static final boolean[] REQUEST_TARGET_ALLOW = new boolean[ARRAY_SIZE];
9a9096
+    private static final boolean[] IS_UNRESERVED = new boolean[ARRAY_SIZE];
9a9096
+    private static final boolean[] IS_SUBDELIM = new boolean[ARRAY_SIZE];
9a9096
+    private static final boolean[] IS_USERINFO = new boolean[ARRAY_SIZE];
9a9096
+    private static final boolean[] IS_RELAXABLE = new boolean[ARRAY_SIZE];
9a9096
+
9a9096
+    private static final HttpParser DEFAULT;
9a9096
+
9a9096
 
9a9096
     static {
9a9096
         // Digest field types.
9a9096
@@ -91,19 +99,6 @@ public class HttpParser {
9a9096
         // RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted
9a9096
         fieldTypes.put("nc", FIELD_TYPE_LHEX);
9a9096
 
9a9096
-        String prop = System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow");
9a9096
-        if (prop != null) {
9a9096
-            for (int i = 0; i < prop.length(); i++) {
9a9096
-                char c = prop.charAt(i);
9a9096
-                if (c == '{' || c == '}' || c == '|') {
9a9096
-                    REQUEST_TARGET_ALLOW[c] = true;
9a9096
-                } else {
9a9096
-                    log.warn(sm.getString("httpparser.invalidRequestTargetCharacter",
9a9096
-                            Character.valueOf(c)));
9a9096
-                }
9a9096
-            }
9a9096
-        }
9a9096
-
9a9096
         for (int i = 0; i < ARRAY_SIZE; i++) {
9a9096
             // Control> 0-31, 127
9a9096
             if (i < 32 || i == 127) {
9a9096
@@ -128,6 +123,67 @@ public class HttpParser {
9a9096
                 IS_HEX[i] = true;
9a9096
             }
9a9096
 
9a9096
+            // Not valid for HTTP protocol
9a9096
+            // "HTTP/" DIGIT "." DIGIT
9a9096
+            if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i >= '0' && i <= '9')) {
9a9096
+                IS_HTTP_PROTOCOL[i] = true;
9a9096
+            }
9a9096
+
9a9096
+            if (i >= '0' && i <= '9') {
9a9096
+                IS_NUMERIC[i] = true;
9a9096
+            }
9a9096
+
9a9096
+            if (i >= 'a' && i <= 'z' || i >= 'A' && i <= 'Z') {
9a9096
+                IS_ALPHA[i] = true;
9a9096
+            }
9a9096
+
9a9096
+            if (IS_ALPHA[i] || IS_NUMERIC[i] || i == '-' || i == '.' || i == '_' || i == '~') {
9a9096
+                IS_UNRESERVED[i] = true;
9a9096
+            }
9a9096
+
9a9096
+            if (i == '!' || i == '$' || i == '&' || i == '\'' || i == '(' || i == ')' || i == '*' ||
9a9096
+                    i == '+' || i == ',' || i == ';' || i == '=') {
9a9096
+                IS_SUBDELIM[i] = true;
9a9096
+            }
9a9096
+
9a9096
+            // userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
9a9096
+            if (IS_UNRESERVED[i] || i == '%' || IS_SUBDELIM[i] || i == ':') {
9a9096
+                IS_USERINFO[i] = true;
9a9096
+            }
9a9096
+
9a9096
+            // The characters that are normally not permitted for which the
9a9096
+            // restrictions may be relaxed when used in the path and/or query
9a9096
+            // string
9a9096
+            if (i == '\"' || i == '<' || i == '>' || i == '[' || i == '\\' || i == ']' ||
9a9096
+                    i == '^' || i == '`'  || i == '{' || i == '|' || i == '}') {
9a9096
+                IS_RELAXABLE[i] = true;
9a9096
+            }
9a9096
+        }
9a9096
+
9a9096
+        String prop = System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow");
9a9096
+        if (prop != null) {
9a9096
+            for (int i = 0; i < prop.length(); i++) {
9a9096
+                char c = prop.charAt(i);
9a9096
+                if (c == '{' || c == '}' || c == '|') {
9a9096
+                    REQUEST_TARGET_ALLOW[c] = true;
9a9096
+                } else {
9a9096
+                    log.warn(sm.getString("http.invalidRequestTargetCharacter",
9a9096
+                            Character.valueOf(c)));
9a9096
+                }
9a9096
+            }
9a9096
+        }
9a9096
+
9a9096
+        DEFAULT = new HttpParser(null, null);
9a9096
+    }
9a9096
+
9a9096
+
9a9096
+    private final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE];
9a9096
+    private final boolean[] IS_ABSOLUTEPATH_RELAXED = new boolean[ARRAY_SIZE];
9a9096
+    private final boolean[] IS_QUERY_RELAXED = new boolean[ARRAY_SIZE];
9a9096
+
9a9096
+
9a9096
+    public HttpParser(String relaxedPathChars, String relaxedQueryChars) {
9a9096
+        for (int i = 0; i < ARRAY_SIZE; i++) {
9a9096
             // Not valid for request target.
9a9096
             // Combination of multiple rules from RFC7230 and RFC 3986. Must be
9a9096
             // ASCII, no controls plus a few additional characters excluded
9a9096
@@ -139,12 +195,29 @@ public class HttpParser {
9a9096
                 }
9a9096
             }
9a9096
 
9a9096
-            // Not valid for HTTP protocol
9a9096
-            // "HTTP/" DIGIT "." DIGIT
9a9096
-            if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i >= '0' && i <= '9')) {
9a9096
-                IS_HTTP_PROTOCOL[i] = true;
9a9096
+            /*
9a9096
+             * absolute-path  = 1*( "/" segment )
9a9096
+             * segment        = *pchar
9a9096
+             * pchar          = unreserved / pct-encoded / sub-delims / ":" / "@"
9a9096
+             *
9a9096
+             * Note pchar allows everything userinfo allows plus "@"
9a9096
+             */
9a9096
+            if (IS_USERINFO[i] || i == '@' || i == '/' || REQUEST_TARGET_ALLOW[i]) {
9a9096
+                IS_ABSOLUTEPATH_RELAXED[i] = true;
9a9096
+            }
9a9096
+
9a9096
+            /*
9a9096
+             * query          = *( pchar / "/" / "?" )
9a9096
+             *
9a9096
+             * Note query allows everything absolute-path allows plus "?"
9a9096
+             */
9a9096
+            if (IS_ABSOLUTEPATH_RELAXED[i] || i == '?' || REQUEST_TARGET_ALLOW[i]) {
9a9096
+                IS_QUERY_RELAXED[i] = true;
9a9096
             }
9a9096
         }
9a9096
+
9a9096
+        relax(IS_ABSOLUTEPATH_RELAXED, relaxedPathChars);
9a9096
+        relax(IS_QUERY_RELAXED, relaxedQueryChars);
9a9096
     }
9a9096
 
9a9096
     /**
9a9096
@@ -277,6 +350,39 @@ public class HttpParser {
9a9096
     }
9a9096
 
9a9096
 
9a9096
+    public boolean isNotRequestTargetRelaxed(int c) {
9a9096
+        // Fast for valid request target characters, slower for some incorrect
9a9096
+        // ones
9a9096
+        try {
9a9096
+            return IS_NOT_REQUEST_TARGET[c];
9a9096
+        } catch (ArrayIndexOutOfBoundsException ex) {
9a9096
+            return true;
9a9096
+        }
9a9096
+    }
9a9096
+
9a9096
+
9a9096
+    public boolean isAbsolutePathRelaxed(int c) {
9a9096
+        // Fast for valid user info characters, slower for some incorrect
9a9096
+        // ones
9a9096
+        try {
9a9096
+            return IS_ABSOLUTEPATH_RELAXED[c];
9a9096
+        } catch (ArrayIndexOutOfBoundsException ex) {
9a9096
+            return false;
9a9096
+        }
9a9096
+    }
9a9096
+
9a9096
+
9a9096
+    public boolean isQueryRelaxed(int c) {
9a9096
+        // Fast for valid user info characters, slower for some incorrect
9a9096
+        // ones
9a9096
+        try {
9a9096
+            return IS_QUERY_RELAXED[c];
9a9096
+        } catch (ArrayIndexOutOfBoundsException ex) {
9a9096
+            return false;
9a9096
+        }
9a9096
+    }
9a9096
+
9a9096
+
9a9096
     public static String unquote(String input) {
9a9096
         if (input == null || input.length() < 2) {
9a9096
             return input;
9a9096
@@ -329,27 +435,53 @@ public class HttpParser {
9a9096
 
9a9096
 
9a9096
     public static boolean isNotRequestTarget(int c) {
9a9096
-        // Fast for valid request target characters, slower for some incorrect
9a9096
+        return DEFAULT.isNotRequestTargetRelaxed(c);
9a9096
+    }
9a9096
+
9a9096
+
9a9096
+    public static boolean isHttpProtocol(int c) {
9a9096
+        // Fast for valid HTTP protocol characters, slower for some incorrect
9a9096
         // ones
9a9096
         try {
9a9096
-            return IS_NOT_REQUEST_TARGET[c];
9a9096
+            return IS_HTTP_PROTOCOL[c];
9a9096
         } catch (ArrayIndexOutOfBoundsException ex) {
9a9096
-            return true;
9a9096
+            return false;
9a9096
         }
9a9096
     }
9a9096
 
9a9096
 
9a9096
-    public static boolean isHttpProtocol(int c) {
9a9096
-        // Fast for valid HTTP protocol characters, slower for some incorrect
9a9096
+    public static boolean isUserInfo(int c) {
9a9096
+        // Fast for valid user info characters, slower for some incorrect
9a9096
         // ones
9a9096
         try {
9a9096
-            return IS_HTTP_PROTOCOL[c];
9a9096
+            return IS_USERINFO[c];
9a9096
+        } catch (ArrayIndexOutOfBoundsException ex) {
9a9096
+            return false;
9a9096
+        }
9a9096
+    }
9a9096
+
9a9096
+
9a9096
+    private static boolean isRelaxable(int c) {
9a9096
+        // Fast for valid user info characters, slower for some incorrect
9a9096
+        // ones
9a9096
+        try {
9a9096
+            return IS_RELAXABLE[c];
9a9096
         } catch (ArrayIndexOutOfBoundsException ex) {
9a9096
             return false;
9a9096
         }
9a9096
     }
9a9096
 
9a9096
 
9a9096
+    public static boolean isAbsolutePath(int c) {
9a9096
+        return DEFAULT.isAbsolutePathRelaxed(c);
9a9096
+    }
9a9096
+
9a9096
+
9a9096
+    public static boolean isQuery(int c) {
9a9096
+        return DEFAULT.isQueryRelaxed(c);
9a9096
+    }
9a9096
+
9a9096
+
9a9096
     // Skip any LWS and return the next char
9a9096
     private static int skipLws(StringReader input, boolean withReset)
9a9096
             throws IOException {
9a9096
@@ -579,6 +711,18 @@ public class HttpParser {
9a9096
         }
9a9096
     }
9a9096
 
9a9096
+    private void relax(boolean[] flags, String relaxedChars) {
9a9096
+        if (relaxedChars != null && relaxedChars.length() > 0) {
9a9096
+            char[] chars = relaxedChars.toCharArray();
9a9096
+            for (char c : chars) {
9a9096
+                if (isRelaxable(c)) {
9a9096
+                    flags[c] = true;
9a9096
+                    IS_NOT_REQUEST_TARGET[c] = false;
9a9096
+                }
9a9096
+            }
9a9096
+        }
9a9096
+    }
9a9096
+
9a9096
     private static enum SkipConstantResult {
9a9096
         FOUND,
9a9096
         NOT_FOUND,
9a9096
diff -up conf/catalina.properties.orig conf/catalina.properties
9a9096
--- conf/catalina.properties.orig	2019-03-05 12:13:51.934329862 -0500
9a9096
+++ conf/catalina.properties	2019-03-05 12:14:08.094279997 -0500
9a9096
@@ -132,6 +132,9 @@ tomcat.util.buf.StringCache.byte.enabled
9a9096
 #tomcat.util.buf.StringCache.trainThreshold=500000
9a9096
 #tomcat.util.buf.StringCache.cacheSize=5000
9a9096
 
9a9096
+# This system property is deprecated. Use the relaxedPathChars relaxedQueryChars
9a9096
+# attributes of the Connector instead. These attributes permit a wider range of
9a9096
+# characters to be configured as valid.
9a9096
 # Allow for changes to HTTP request validation
9a9096
-# WARNING: Using this option will expose the server to CVE-2016-6816
9a9096
+# WARNING: Using this option may expose the server to CVE-2016-6816
9a9096
 #tomcat.util.http.parser.HttpParser.requestTargetAllow=|
9a9096
diff -up webapps/docs/changelog.xml.orig webapps/docs/changelog.xml
9a9096
--- webapps/docs/changelog.xml.orig	2019-03-05 12:13:47.068344877 -0500
9a9096
+++ webapps/docs/changelog.xml	2019-03-05 12:14:08.103279970 -0500
9a9096
@@ -108,6 +108,12 @@
9a9096
         Improve handing of overflow in the UTF-8 decoder with supplementary
9a9096
         characters. (markt)
9a9096
       </fix>
9a9096
+      <add>
9a9096
+        <bug>62273</bug>: Implement configuration options to work-around
9a9096
+        specification non-compliant user agents (including all the major
9a9096
+        browsers) that do not correctly %nn encode URI paths and query strings
9a9096
+        as required by RFC 7230 and RFC 3986. (markt)
9a9096
+      </add>
9a9096
     </changelog>
9a9096
   </subsection>
9a9096
 </section>
9a9096
diff -up webapps/docs/config/http.xml.orig webapps/docs/config/http.xml
9a9096
--- webapps/docs/config/http.xml.orig	2017-03-09 08:51:43.000000000 -0500
9a9096
+++ webapps/docs/config/http.xml	2019-03-05 12:14:08.103279970 -0500
9a9096
@@ -516,6 +516,32 @@
9a9096
       expected concurrent requests (synchronous and asynchronous).

9a9096
     </attribute>
9a9096
 
9a9096
+    <attribute name="relaxedPathChars" required="false">
9a9096
+      

The HTTP/1.1

9a9096
+      specification requires that certain characters are %nn encoded when
9a9096
+      used in URI paths. Unfortunately, many user agents including all the major
9a9096
+      browsers are not compliant with this specification and use these
9a9096
+      characters in unencoded form. To prevent Tomcat rejecting such requests,
9a9096
+      this attribute may be used to specify the additional characters to allow.
9a9096
+      If not specified, no addtional characters will be allowed. The value may
9a9096
+      be any combination of the following characters:
9a9096
+      " < > [ \ ] ^ ` { | } . Any other characters
9a9096
+      present in the value will be ignored.

9a9096
+    </attribute>
9a9096
+
9a9096
+    <attribute name="relaxedQueryChars" required="false">
9a9096
+      

The HTTP/1.1

9a9096
+      specification requires that certain characters are %nn encoded when
9a9096
+      used in URI query strings. Unfortunately, many user agents including all
9a9096
+      the major browsers are not compliant with this specification and use these
9a9096
+      characters in unencoded form. To prevent Tomcat rejecting such requests,
9a9096
+      this attribute may be used to specify the additional characters to allow.
9a9096
+      If not specified, no addtional characters will be allowed. The value may
9a9096
+      be any combination of the following characters:
9a9096
+      " < > [ \ ] ^ ` { | } . Any other characters
9a9096
+      present in the value will be ignored.

9a9096
+    </attribute>
9a9096
+
9a9096
     <attribute name="restrictedUserAgents" required="false">
9a9096
       

The value is a regular expression (using java.util.regex)

9a9096
       matching the user-agent header of HTTP clients for which
9a9096
diff -up webapps/docs/config/systemprops.xml.orig webapps/docs/config/systemprops.xml
9a9096
--- webapps/docs/config/systemprops.xml.orig	2019-03-05 12:14:08.104279967 -0500
9a9096
+++ webapps/docs/config/systemprops.xml	2019-03-05 12:16:02.075928285 -0500
9a9096
@@ -709,11 +709,15 @@
9a9096
     </property>
9a9096
 
9a9096
     <property name="tomcat.util.http.parser.HttpParser.requestTargetAllow">
9a9096
+      

This system property is deprecated. Use the

9a9096
+      relaxedPathChars and relaxedQueryChars
9a9096
+      attributes of the Connector instead. These attributes permit a wider range
9a9096
+      of characters to be configured as valid.

9a9096
       

A string comprised of characters the server should allow even when they are not encoded.

9a9096
       These characters would normally result in a 400 status.

9a9096
       

The acceptable characters for this property are: |, {

9a9096
       , and }

9a9096
-      

WARNING: Use of this option will expose the server to CVE-2016-6816.

9a9096
+      

WARNING: Use of this option may expose the server to CVE-2016-6816.

9a9096
       

9a9096
       

If not specified, the default value of null will be used.

9a9096
     </property>
9a9096
diff -up test/org/apache/catalina/core/TestApplicationContext.java.orig test/org/apache/catalina/core/TestApplicationContext.java
9a9096
--- test/org/apache/catalina/core/TestApplicationContext.java.orig	2019-03-05 12:13:51.981329717 -0500
9a9096
+++ test/org/apache/catalina/core/TestApplicationContext.java	2019-03-05 12:14:08.094279997 -0500
9a9096
@@ -77,7 +77,7 @@ public class TestApplicationContext exte
9a9096
 
9a9096
         ByteChunk res = new ByteChunk();
9a9096
         int rc = getUrl("http://localhost:" + getPort() +
9a9096
-                "/test/bug5nnnn/bug53467].jsp", res, null);
9a9096
+                "/test/bug5nnnn/bug53467%5D.jsp", res, null);
9a9096
 
9a9096
         Assert.assertEquals(HttpServletResponse.SC_OK, rc);
9a9096
         Assert.assertTrue(res.toString().contains("

OK

"));