You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Venkata Rajesh Kotha <ve...@gmail.com> on 2021/05/17 21:01:09 UTC

Regarding : Bug 62273

Tomcat version - 9.0.24
OS - RHEL 8.3 , 64 bit

This is regarding Bug 62273

RFC 7230 and RFC 3986

Your suggestion is to add relaxedPathChars and relaxedQueryChars to
overcome invalid special characters (i.e, [ , ] , { etc) issue in URL.

Do we have any security breaches.. Will we see any vulnerability if we use
this options.

Please suggest.

Awaiting your early response.

Regards,
Rajesh.

Re: Regarding : Bug 62273

Posted by Mark Thomas <ma...@apache.org>.

On 17/05/2021 22:01, Venkata Rajesh Kotha wrote:
> Tomcat version - 9.0.24
> OS - RHEL 8.3 , 64 bit
> 
> This is regarding Bug 62273
> 
> RFC 7230 and RFC 3986
> 
> Your suggestion is to add relaxedPathChars and relaxedQueryChars to
> overcome invalid special characters (i.e, [ , ] , { etc) issue in URL.
> 
> Do we have any security breaches.. Will we see any vulnerability if we use
> this options.
> 
> Please suggest.

You are running Tomcat 9.0.24 which, at the time of writing has 13 
known, published security vulnerabilities.

http://tomcat.apache.org/security-9.html

Are you sure you aren't impacted by any of these?

The Tomcat team can offer no guarantees regarding the security 
implications of using relaxedPathChars and/or relaxedQueryChars. From a 
purely Tomcat perspective it should not present a problem but the 
behaviour of clients, intermediate proxies and deployed applications are 
all a factor and their behaviour is unknown.

All components should reject these URIs as invalid. That they don't 
means that they are operating outside the RFCs and, therefore, the 
behaviour is unspecified. We have no way of knowing how the combination 
of components used in your system will react to such invalid URIs. It 
will probably just work. It might fail because one, or more, components 
rejects the URI. It is unlikely, but not impossible, that you will 
introduce some sort of security vulnerability. If there is a security 
issue, I'd guess at some sort of request/response mix-up or request 
smuggling issue.

In summary, you are probably going to be OK but in your position I'd be 
pushing hard for any component generating URIs that are not compliant 
with RFC 7203 and RFC 3986 to be fixed.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org