Tokens should not contain or end at ')'

apache · Jul 4, 2023 · 8102eab · 8102eab
1 parent 3ca1ca2
commit 8102eab
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 3 deletions.
diff --git a/java/org/apache/catalina/valves/ExtendedAccessLogValve.java b/java/org/apache/catalina/valves/ExtendedAccessLogValve.java
@@ -412,9 +412,7 @@ public String getToken() throws IOException {
                         parameter = true;
                         return result;
                     case ')':
-                        result = buf.toString();
-                        buf.setLength(0);
-                        break;
+                        throw new IOException(sm.getString("patternTokenizer.unexpectedParenthesis"));
                     default:
                         buf.append((char) c);
                 }

diff --git a/java/org/apache/catalina/valves/LocalStrings.properties b/java/org/apache/catalina/valves/LocalStrings.properties
@@ -130,6 +130,8 @@ http.511.reason=Network Authentication Required
 jdbcAccessLogValve.close=Failed to close database
 jdbcAccessLogValve.exception=Exception performing insert access entry
 
+patternTokenizer.unexpectedParenthesis=Unexpected ')' in pattern
+
 persistentValve.acquireFailed=The request for [{0}] did not obtain the per session Semaphore as no permit was available
 persistentValve.acquireInterrupted=The request for [{0}] did not obtain the per session Semaphore as it was interrupted while waiting for a permit
 persistentValve.filter.failure=Unable to compile filter=[{0}]

diff --git a/test/org/apache/catalina/valves/TestPatternTokenizer.java b/test/org/apache/catalina/valves/TestPatternTokenizer.java
@@ -0,0 +1,32 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.valves;
+
+import java.io.IOException;
+
+import org.junit.Test;
+
+import org.apache.catalina.valves.ExtendedAccessLogValve.PatternTokenizer;
+
+public class TestPatternTokenizer {
+
+    @Test(expected = IOException.class)
+    public void doUnexpectedParenthesis() throws IOException {
+        String input = "a)aa)";
+        PatternTokenizer tokenizer = new PatternTokenizer(input);
+        tokenizer.getToken();
+    }
+}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -111,6 +111,10 @@
         Fix potential database connection leaks in
         <code>DataSourceUserDatabase</code> identified by Coverity Scan. (markt)
       </fix>
+      <fix>
+        Make parsing of <code>ExtendedAccessLogValve</code> patterns more
+        robust. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>