glassfish
  1. glassfish
  2. GLASSFISH-1512

2nd semicolon in request URI never found

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 9.1pe
    • Fix Version/s: 9.1pe_dev
    • Component/s: web_container
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: Sun

    • Issuezilla Id:
      1,512
    • Status Whiteboard:
      Hide

      fixed-pwc12

      Show
      fixed-pwc12

      Description

      CoyoteRequest.parseSessionIdFromRequestURI() is supposed to remove any
      jsessionid from the URI, so that it won't be considered by the request mapper.

      However, when sending this request:

      GET /123/test.jsp;jsessionid=123;myid=456 HTTP/1.0

      the URI after returning from CoyoteRequest.parseSessionIdFromRequestURI() looks
      like this:

      /123/test.jsp

      instead of

      /123/test.jsp;myid=456

      Only ";jsessionid=123" should have been removed from the URI, but not ";myid=456".

      The problem is that the 2nd semicolon is never found, because
      CoyoteRequest.parseSessionIdFromRequestURI() is feeding a wrong start
      index to ByteChunk.indexOf():

      semicolon2 = uriBC.indexOf (';', start + semicolon + match.length());

      Notice how the impl of ByteChunk.indexOf() already adds "start" to the start
      index, like this:

      public int indexOf(char c, int starting) {
      int ret = indexOf( buff, start+starting, end, c);

      Therefore, CoyoteRequest.parseSessionIdFromRequestURI() must not add it itself.

        Activity

        Hide
        gfbugbridge added a comment -

        <BT6493664>

        Show
        gfbugbridge added a comment - <BT6493664>
        Hide
        jluehe added a comment -

        Make sure that if a request URI carries 2 params, one of which is named for the
        standard "jsessionid" and therefore is supposed to be consumed by the container,
        the other is preserved in the return value of ServletRequest.getRequestURI().

        Checking in CoyoteRequest.java;
        /cvs/glassfish/appserv-webtier/src/java/org/apache/coyote/tomcat5/CoyoteRequest.java,v
        <-- CoyoteRequest.java
        new revision: 1.40; previous revision: 1.39
        done

        Unit test:
        /cvs/glassfish/appserv-tests/devtests/web/servletRequestURIMultipleSemicolons

        Show
        jluehe added a comment - Make sure that if a request URI carries 2 params, one of which is named for the standard "jsessionid" and therefore is supposed to be consumed by the container, the other is preserved in the return value of ServletRequest.getRequestURI(). Checking in CoyoteRequest.java; /cvs/glassfish/appserv-webtier/src/java/org/apache/coyote/tomcat5/CoyoteRequest.java,v <-- CoyoteRequest.java new revision: 1.40; previous revision: 1.39 done Unit test: /cvs/glassfish/appserv-tests/devtests/web/servletRequestURIMultipleSemicolons
        Hide
        kmeduri added a comment -

        Merged the fix to PWC12Dev_Branch:

        Checking in appserv-webtier/src/java/org/apache/coyote/tomcat5/CoyoteRequest.java;
        /cvs/glassfish/appserv-webtier/src/java/org/apache/coyote/tomcat5/CoyoteRequest.java,v
        <-- CoyoteRequest.java
        new revision: 1.30.6.4; previous revision: 1.30.6.3
        done

        Show
        kmeduri added a comment - Merged the fix to PWC12Dev_Branch: Checking in appserv-webtier/src/java/org/apache/coyote/tomcat5/CoyoteRequest.java; /cvs/glassfish/appserv-webtier/src/java/org/apache/coyote/tomcat5/CoyoteRequest.java,v <-- CoyoteRequest.java new revision: 1.30.6.4; previous revision: 1.30.6.3 done

          People

          • Assignee:
            jluehe
            Reporter:
            jluehe
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: