1 //
2 // ========================================================================
3 // Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
4 // ------------------------------------------------------------------------
5 // All rights reserved. This program and the accompanying materials
6 // are made available under the terms of the Eclipse Public License v1.0
7 // and Apache License v2.0 which accompanies this distribution.
8 //
9 // The Eclipse Public License is available at
10 // http://www.eclipse.org/legal/epl-v10.html
11 //
12 // The Apache License v2.0 is available at
13 // http://www.opensource.org/licenses/apache2.0.php
14 //
15 // You may elect to redistribute this code under either of these licenses.
16 // ========================================================================
17 //
18
19 package org.eclipse.jetty.rewrite.handler;
20
21 import java.io.IOException;
22
23 import javax.servlet.http.HttpServletRequest;
24 import javax.servlet.http.HttpServletResponse;
25
26 import org.eclipse.jetty.util.URIUtil;
27 import org.eclipse.jetty.util.log.Log;
28 import org.eclipse.jetty.util.log.Logger;
29
30 /**
31 * This rule can be used to protect against invalid unicode characters in a url making it into applications.
32 *
33 * The logic is as follows.
34 *
35 * - if decoded uri character is an iso control character return code/reason
36 * - if no UnicodeBlock is found for character return code/reason
37 * - if character is in UnicodeBlock.SPECIALS return code/reason
38 */
39 public class ValidUrlRule extends Rule
40 {
41 private static final Logger LOG = Log.getLogger(ValidUrlRule.class);
42
43 String _code = "400";
44 String _reason = "Illegal Url";
45
46 public ValidUrlRule()
47 {
48 _handling = true;
49 _terminating = true;
50 }
51
52 /* ------------------------------------------------------------ */
53 /**
54 * Sets the response status code.
55 *
56 * @param code
57 * response code
58 */
59 public void setCode(String code)
60 {
61 _code = code;
62 }
63
64 /* ------------------------------------------------------------ */
65 /**
66 * Sets the reason for the response status code. Reasons will only reflect if the code value is greater or equal to 400.
67 *
68 * @param reason
69 */
70 public void setReason(String reason)
71 {
72 _reason = reason;
73 }
74
75 @Override
76 public String matchAndApply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException
77 {
78 // best to decide the request uri and validate that
79 // String uri = request.getRequestURI();
80 String uri = URIUtil.decodePath(request.getRequestURI());
81
82 for (int i = 0; i < uri.length();)
83 {
84 int codepoint = uri.codePointAt(i);
85
86 if (!isValidChar(uri.codePointAt(i)))
87 {
88
89 int code = Integer.parseInt(_code);
90
91 // status code 400 and up are error codes so include a reason
92 if (code >= 400)
93 {
94 response.sendError(code,_reason);
95 }
96 else
97 {
98 response.setStatus(code);
99 }
100
101 // we have matched, return target and consider it is handled
102 return target;
103 }
104 i += Character.charCount(codepoint);
105 }
106
107 // we have not matched so return null
108 return null;
109 }
110
111 protected boolean isValidChar(int codepoint)
112 {
113 Character.UnicodeBlock block = Character.UnicodeBlock.of(codepoint);
114
115 LOG.debug("{} {} {} {}", Character.charCount(codepoint), codepoint, block, Character.isISOControl(codepoint));
116
117 return (!Character.isISOControl(codepoint)) && block != null && block != Character.UnicodeBlock.SPECIALS;
118 }
119
120 public String toString()
121 {
122 return super.toString() + "[" + _code + ":" + _reason + "]";
123 }
124 }