1 //
2 // ========================================================================
3 // Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
4 // ------------------------------------------------------------------------
5 // All rights reserved. This program and the accompanying materials
6 // are made available under the terms of the Eclipse Public License v1.0
7 // and Apache License v2.0 which accompanies this distribution.
8 //
9 // The Eclipse Public License is available at
10 // http://www.eclipse.org/legal/epl-v10.html
11 //
12 // The Apache License v2.0 is available at
13 // http://www.opensource.org/licenses/apache2.0.php
14 //
15 // You may elect to redistribute this code under either of these licenses.
16 // ========================================================================
17 //
18
19 package org.eclipse.jetty.rewrite.handler;
20
21 import java.io.IOException;
22
23 import javax.servlet.http.HttpServletRequest;
24 import javax.servlet.http.HttpServletResponse;
25
26 import org.eclipse.jetty.util.URIUtil;
27 import org.eclipse.jetty.util.log.Log;
28 import org.eclipse.jetty.util.log.Logger;
29
30 /**
31 * This rule can be used to protect against invalid unicode characters in a url making it into applications.
32 * <p>
33 * The logic is as follows.
34 * <ul>
35 * <li>if decoded uri character is an iso control character return code/reason</li>
36 * <li>if no UnicodeBlock is found for character return code/reason</li>
37 * <li>if character is in UnicodeBlock.SPECIALS return code/reason</li>
38 * </ul>
39 */
40 public class ValidUrlRule extends Rule
41 {
42 private static final Logger LOG = Log.getLogger(ValidUrlRule.class);
43
44 String _code = "400";
45 String _reason = "Illegal Url";
46
47 public ValidUrlRule()
48 {
49 _handling = true;
50 _terminating = true;
51 }
52
53 /* ------------------------------------------------------------ */
54 /**
55 * Sets the response status code.
56 *
57 * @param code
58 * response code
59 */
60 public void setCode(String code)
61 {
62 _code = code;
63 }
64
65 /* ------------------------------------------------------------ */
66 /**
67 * Sets the reason for the response status code. Reasons will only reflect if the code value is greater or equal to 400.
68 *
69 * @param reason the reason
70 */
71 public void setReason(String reason)
72 {
73 _reason = reason;
74 }
75
76 @Override
77 public String matchAndApply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException
78 {
79 // best to decide the request uri and validate that
80 // String uri = request.getRequestURI();
81 String uri = URIUtil.decodePath(request.getRequestURI());
82
83 for (int i = 0; i < uri.length();)
84 {
85 int codepoint = uri.codePointAt(i);
86
87 if (!isValidChar(uri.codePointAt(i)))
88 {
89
90 int code = Integer.parseInt(_code);
91
92 // status code 400 and up are error codes so include a reason
93 if (code >= 400)
94 {
95 response.sendError(code,_reason);
96 }
97 else
98 {
99 response.setStatus(code);
100 }
101
102 // we have matched, return target and consider it is handled
103 return target;
104 }
105 i += Character.charCount(codepoint);
106 }
107
108 // we have not matched so return null
109 return null;
110 }
111
112 protected boolean isValidChar(int codepoint)
113 {
114 Character.UnicodeBlock block = Character.UnicodeBlock.of(codepoint);
115
116 LOG.debug("{} {} {} {}", Character.charCount(codepoint), codepoint, block, Character.isISOControl(codepoint));
117
118 return (!Character.isISOControl(codepoint)) && block != null && block != Character.UnicodeBlock.SPECIALS;
119 }
120
121 public String toString()
122 {
123 return super.toString() + "[" + _code + ":" + _reason + "]";
124 }
125 }