Invalid URL characters via AJP

[George Stanchev <Ge...@microfocus.com>]

In light of recent changes around allowing and subsequent relaxation of the invalid characters handling in TC, I just noticed that TC behind IIS (via JK connector/AJP) happily accepts ";<> etc while the HTTP connector rejects them. Is this how the AJP connector it is supposed to work? Is the assumption that the fronting service should be the line of defence?

Re: Invalid URL characters via AJP

[Mark Thomas <ma...@apache.org>]

On 06/02/2019 14:05, George Stanchev wrote:
> In light of recent changes around allowing and subsequent relaxation of the invalid characters handling in TC, I just noticed that TC behind IIS (via JK connector/AJP) happily accepts ";<> etc while the HTTP connector rejects them. Is this how the AJP connector it is supposed to work? Is the assumption that the fronting service should be the line of defence?
> 

The expectation is that the web server follows the HTTP specification.
I'd expect a web server to respond with a 400 to any invalid URI.

The defenses in the JK Connector are designed to protect against valid
but malicious URIs. Generally, directory traversal attacks and similar
attempts to bypass security constraints. As far as I recall, there
aren't explicit checks for URI validity.

I'll note that ; is a valid character in a URI while "<> do indeed need
to be escaped.

As an aside, this page may be useful for folks testing around this:
https://cwiki.apache.org/confluence/display/TOMCAT/Encoding+and+URIs

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org