1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.http;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Locale;
import jakarta.servlet.http.HttpServletRequest;
public class RequestUtil {
private RequestUtil() {
// Hide default constructor as this is a utility class
}
/**
* Normalize a relative URI path. This method normalizes "/./", "/../", "//" and "\". If the input path is an
* attempt to 'escape the root' (e.g. /../input.txt) then {@code null} is returned to prevent attempts to 'escape
* the root'. <strong>WARNING</strong> - No other URI validation checks are performed.
*
* @param path Relative path to be normalized
*
* @return The normalized path or {@code null} if the input path attempts to 'escape the root'.
*/
public static String normalize(String path) {
return normalize(path, true);
}
/**
* Normalize a relative URI path. This method normalizes "/./", "/../" and "//". This method optionally normalizes
* "\". If the input path is an attempt to 'escape the root' (e.g. /../input.txt) then {@code null} is returned to
* prevent attempts to 'escape the root'. <strong>WARNING</strong> - No other URI validation checks are performed.
*
* @param path Relative path to be normalized
* @param replaceBackSlash Should '\\' be normalized to '/'
*
* @return The normalized path or {@code null} if the input path attempts to 'escape the root'.
*/
public static String normalize(String path, boolean replaceBackSlash) {
if (path == null) {
return null;
}
// Create a place for the normalized path
String normalized = path;
if (replaceBackSlash && normalized.indexOf('\\') >= 0) {
normalized = normalized.replace('\\', '/');
}
// Add a leading "/" if necessary
if (!normalized.startsWith("/")) {
normalized = "/" + normalized;
}
boolean addedTrailingSlash = false;
if (normalized.endsWith("/.") || normalized.endsWith("/..")) {
normalized = normalized + "/";
addedTrailingSlash = true;
}
// Resolve occurrences of "//" in the normalized path
while (true) {
int index = normalized.indexOf("//");
if (index < 0) {
break;
}
normalized = normalized.substring(0, index) + normalized.substring(index + 1);
}
// Resolve occurrences of "/./" in the normalized path
while (true) {
int index = normalized.indexOf("/./");
if (index < 0) {
break;
}
normalized = normalized.substring(0, index) + normalized.substring(index + 2);
}
// Resolve occurrences of "/../" in the normalized path
while (true) {
int index = normalized.indexOf("/../");
if (index < 0) {
break;
}
if (index == 0) {
return null; // Trying to go outside our context
}
int index2 = normalized.lastIndexOf('/', index - 1);
normalized = normalized.substring(0, index2) + normalized.substring(index + 3);
}
if (normalized.length() > 1 && addedTrailingSlash) {
// Remove the trailing '/' we added to that input and output are
// consistent w.r.t. to the presence of the trailing '/'.
normalized = normalized.substring(0, normalized.length() - 1);
}
// Return the normalized path that we have completed
return normalized;
}
public static boolean isSameOrigin(HttpServletRequest request, String origin) {
// Build scheme://host:port from request
StringBuilder target = new StringBuilder();
String scheme = request.getScheme();
String host = request.getServerName();
if (scheme == null || host == null) {
return false;
}
scheme = scheme.toLowerCase(Locale.ENGLISH);
target.append(scheme).append("://").append(host);
int port = request.getServerPort();
// Origin may or may not include the (default) port.
// At this point target doesn't include a port.
if (target.length() == origin.length()) {
// origin and target can only be equal if both are using default
// ports. Therefore, only append the port to the target if a
// non-default port is used.
if (("http".equals(scheme) || "ws".equals(scheme)) && port != 80 ||
("https".equals(scheme) || "wss".equals(scheme)) && port != 443) {
target.append(':');
target.append(port);
}
} else {
// origin and target can only be equal if:
// a) origin includes an explicit default port
// b) origin is using a non-default port
// Either way, add the port to the target so it can be compared
target.append(':');
target.append(port);
}
// Both scheme and host are case-insensitive but the CORS spec states
// this check should be case-sensitive
return origin.contentEquals(target);
}
/**
* Checks if a given origin is valid or not. Criteria:
* <ul>
* <li>If an encoded character is present in origin, it's not valid.</li>
* <li>If origin is "null", it's valid.</li>
* <li>Origin should be a valid {@link URI}</li>
* </ul>
*
* @param origin The origin URI
*
* @return <code>true</code> if the origin was valid
*
* @see <a href="http://tools.ietf.org/html/rfc952">RFC952</a>
*/
public static boolean isValidOrigin(String origin) {
// Checks for encoded characters. Helps prevent CRLF injection.
if (origin.contains("%")) {
return false;
}
// "null" is a valid origin
if ("null".equals(origin)) {
return true;
}
// RFC6454, section 4. "If uri-scheme is file, the implementation MAY
// return an implementation-defined value.". No limits are placed on
// that value so treat all file URIs as valid origins.
if (origin.startsWith("file://")) {
return true;
}
URI originURI;
try {
originURI = new URI(origin);
} catch (URISyntaxException e) {
return false;
}
// If scheme for URI is null, return false. Return true otherwise.
return originURI.getScheme() != null;
}
}
|
