[FIXED HUDSON-1457] Update logic in Functions.decompose to be immune to mismatches

due to url-encoding or extra slashes in the request URL git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@14174 71c3de6d-444a-0410-be80-ed276b4c234a

[FIXED HUDSON-1457] Update logic in Functions.decompose to be immune to mismatches
due to url-encoding or extra slashes in the request URL git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@14174 71c3de6d-444a-0410-be80-ed276b4c234a
01e9631a · mindless · fc3f18df · 01e9631a
隐藏空白更改
内联并排

Showing with 12 addition and 14 deletion

core/src/main/java/hudson/Functions.java core/src/main/java/hudson/Functions.java +12 -14

未找到文件。
--- a/core/src/main/java/hudson/Functions.java
+++ b/core/src/main/java/hudson/Functions.java
@@ -178,20 +178,18 @@ public class Functions {
        String base = l.getUrl();

        String reqUri = req.getOriginalRequestURI();
-        // despite the spec saying this string is not decoded,
-        // Tomcat apparently decodes this string. You see ' ' instead of '%20', which is what
-        // the browser has sent. So do some quick scan to see if it's ASCII safe, and if not
-        // re-encode it. Otherwise it won't match with ancUrl.
-        if(reqUri.indexOf(' ')>=0) {
-            try {
-                // 3 arg version accepts illegal character. 1-arg version doesn't
-                reqUri = new URI(null,reqUri,null).toASCIIString();
-            } catch (URISyntaxException e) {
-                // try to use reqUri as is.
-            }
-        }
-
-        String rest = reqUri.substring(f.getUrl().length());
+        // Find "rest" or URI by removing N path components.
+        // Not using reqUri.substring(f.getUrl().length()) to avoid mismatches due to
+        // url-encoding or extra slashes.  Former may occur in Tomcat (despite the spec saying
+        // this string is not decoded, Tomcat apparently decodes this string. You see ' '
+        // instead of '%20', which is what the browser has sent), latter may occur in some
+        // proxy or URL-rewriting setups where extra slashes are inadvertently added.
+        String furl = f.getUrl();
+        int slashCount = 0;
+        // Count components in ancestor URL
+        for (int i = furl.indexOf('/'); i >= 0; i = furl.indexOf('/', i + 1)) slashCount++;
+        // Remove that many from request URL, ignoring extra slashes
+        String rest = reqUri.replaceFirst("(?:/+[^/]*){" + slashCount + "}", "");

        return new RunUrl( (Run) f.getObject(), head, base, rest);
    }