decode the request uri and validate that
This commit is contained in:
parent
a5081abc55
commit
51bb01e14b
|
@ -23,6 +23,8 @@ import java.io.IOException;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.eclipse.jetty.util.URIUtil;
|
||||||
|
|
||||||
public class ValidUrlRule extends Rule
|
public class ValidUrlRule extends Rule
|
||||||
{
|
{
|
||||||
String _code = "400";
|
String _code = "400";
|
||||||
|
@ -60,11 +62,12 @@ public class ValidUrlRule extends Rule
|
||||||
@Override
|
@Override
|
||||||
public String matchAndApply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException
|
public String matchAndApply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException
|
||||||
{
|
{
|
||||||
String uri = request.getRequestURI();
|
// best to decide the request uri and validate that
|
||||||
|
String uri = URIUtil.decodePath(request.getRequestURI());
|
||||||
|
|
||||||
for (int i = 0; i < uri.length(); ++i)
|
for (int i = 0; i < uri.length(); ++i)
|
||||||
{
|
{
|
||||||
if (!isPrintableChar(uri.charAt(i)))
|
if (!isValidChar(uri.charAt(i)))
|
||||||
{
|
{
|
||||||
int code = Integer.parseInt(_code);
|
int code = Integer.parseInt(_code);
|
||||||
|
|
||||||
|
@ -85,7 +88,7 @@ public class ValidUrlRule extends Rule
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected boolean isPrintableChar(char c)
|
protected boolean isValidChar(char c)
|
||||||
{
|
{
|
||||||
Character.UnicodeBlock block = Character.UnicodeBlock.of(c);
|
Character.UnicodeBlock block = Character.UnicodeBlock.of(c);
|
||||||
|
|
||||||
|
|
|
@ -50,20 +50,31 @@ public class ValidUrlRuleTest extends AbstractRuleTestCase
|
||||||
public void testInvalidUrl() throws Exception
|
public void testInvalidUrl() throws Exception
|
||||||
{
|
{
|
||||||
_rule.setCode("404");
|
_rule.setCode("404");
|
||||||
_request.setRequestURI("/invalid\u000c/uri.html");
|
_request.setRequestURI("/invalid%0c/uri.html");
|
||||||
|
|
||||||
String result = _rule.matchAndApply(_request.getRequestURI(), _request, _response);
|
String result = _rule.matchAndApply(_request.getRequestURI(), _request, _response);
|
||||||
|
|
||||||
assertEquals(404,_response.getStatus());
|
assertEquals(404,_response.getStatus());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testInvalidUrl2() throws Exception
|
||||||
|
{
|
||||||
|
_rule.setCode("404");
|
||||||
|
_request.setRequestURI("/%00/");
|
||||||
|
|
||||||
|
String result = _rule.matchAndApply(_request.getRequestURI(), _request, _response);
|
||||||
|
|
||||||
|
assertEquals(404,_response.getStatus());
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testCharacters() throws Exception
|
public void testCharacters() throws Exception
|
||||||
{
|
{
|
||||||
// space
|
// space
|
||||||
Assert.assertTrue( _rule.isPrintableChar("\u0020".charAt(0)));
|
Assert.assertTrue( _rule.isValidChar("\u0020".charAt(0)));
|
||||||
// form feed
|
// form feed
|
||||||
Assert.assertFalse( _rule.isPrintableChar("\u000c".charAt(0)));
|
Assert.assertFalse( _rule.isValidChar("\u000c".charAt(0)));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue