svn commit: r1804754 - /tomcat/trunk/java/org/apache/coyote/http2/Stream.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

svn commit: r1804754 - /tomcat/trunk/java/org/apache/coyote/http2/Stream.java

markt
Author: markt
Date: Fri Aug 11 07:06:46 2017
New Revision: 1804754

URL: http://svn.apache.org/viewvc?rev=1804754&view=rev
Log:
Now CVE-2017-7675 is public, make the comment more specific

Modified:
    tomcat/trunk/java/org/apache/coyote/http2/Stream.java

Modified: tomcat/trunk/java/org/apache/coyote/http2/Stream.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Stream.java?rev=1804754&r1=1804753&r2=1804754&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http2/Stream.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http2/Stream.java Fri Aug 11 07:06:46 2017
@@ -313,8 +313,10 @@ class Stream extends AbstractStream impl
                 String query = value.substring(queryStart + 1);
                 coyoteRequest.queryString().setString(query);
             }
-            // Bug 61120. Set the URI as bytes rather than String so any path
-            // parameters are correctly processed
+            // Bug 61120. Set the URI as bytes rather than String so:
+            // - any path parameters are correctly processed
+            // - the normalization security checks are performed that prevent
+            //   directory traversal attacks
             byte[] uriBytes = uri.getBytes(StandardCharsets.ISO_8859_1);
             coyoteRequest.requestURI().setBytes(uriBytes, 0, uriBytes.length);
             break;



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...