You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Lutischán Ferenc <lu...@gmail.com> on 2013/05/08 14:46:57 UTC
backslash URL encoding
Dear Users,
Tomcat 7.0.39.
I have problem with the following url in firefox 20:
http://dictzone.com/english-german-dictionary/a\ (it resulted in the
http://dictzone.com/english-german-dictionary/a%5C request).
It results is an emtpy page. This request don't arrive my servelt /
filter codes.
How to fix it?
Regards,
Ferenc
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: backslash URL encoding
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On May 9, 2013, at 11:05 AM, Lutischán Ferenc wrote:
> Dear Dan,
>
> Thanks for your suggestion.
> I tried it, but it didn't work for me (Tomcat started with parameter: -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true).
> In my tomcat log:
> 127.0.0.1 - - [09/May/2013:15:34:54 +0200] "GET /angol-magyar-szotar/w%5C HTTP/1.1" 400 -
My fault, I think that you need this option as well.
-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true
I tried setting both to true and it worked for me.
Dan
> Regards,
> Ferenc
>
> > Dear Dan,
> >
> > Thank for your reply.
> >
> > 1. This site is a dictionary:
> > - Windows users often enter a "\" in place of "/"
> > - Rarely there are "\" in the phrases
>
> I think what you're looking for is this...
>
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
>
> https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security <https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>
>
> If you set it to true, it should allow '%2F' and '%5C' in your URL.
>
> This has security implications though. Please read the following link for CVE-2007-0450.
>
> https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 <https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
>
> Dan
>
> On May 8, 2013, at 9:09 AM, Lutischán Ferenc wrote:
>
> > Dear Dan,
> >
> > Thank for your reply.
> >
> > 1. This site is a dictionary:
> > - Windows users often enter a "\" in place of "/"
> > - Rarely there are "\" in the phrases
>
> I think what you're looking for is this...
>
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
>
> https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security <https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>
>
> If you set it to true, it should allow '%2F' and '%5C' in your URL.
>
> This has security implications though. Please read the following link for CVE-2007-0450.
>
> https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 <https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
>
> Dan
>
> On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
>>> Dear Users,
>>>
>>> Tomcat 7.0.39.
>>>
>>> I have problem with the following url in firefox 20:
>>> http://dictzone.com/english-german-dictionary/a\ (it resulted in thehttp://dictzone.com/english-german-dictionary/a%5C request).
>> Why do you have a "\" on the end of the URL? Is that intentional? Does it work if you remove it?
>>
>>> It results is an emtpy page.
>> What is the HTTP Status code being returned with the request? 4xx? 5xx?
>>
>>
>>> This request don't arrive my servelt / filter codes.
>> Please include your servlet mapping from web.xml.
>>
>>
>> Dan
>>
>>
>>> How to fix it?
>>>
>>> Regards,
>>> Ferenc
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail:users-help@tomcat.apache.org
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail:users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: backslash URL encoding
Posted by Lutischán Ferenc <lu...@gmail.com>.
Dear Dan,
Thanks for your suggestion.
I tried it, but it didn't work for me (Tomcat started with parameter:
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true).
In my tomcat log:
127.0.0.1 - - [09/May/2013:15:34:54 +0200] "GET
/angol-magyar-szotar/w%5C HTTP/1.1" 400 -
Regards,
Ferenc
> Dear Dan,
>
> Thank for your reply.
>
> 1. This site is a dictionary:
> - Windows users often enter a "\" in place of "/"
> - Rarely there are "\" in the phrases
I think what you're looking for is this...
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security <https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>
If you set it to true, it should allow '%2F' and '%5C' in your URL.
This has security implications though. Please read the following link
for CVE-2007-0450.
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
<https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
Dan
On May 8, 2013, at 9:09 AM, Lutischán Ferenc wrote:
> Dear Dan,
>
> Thank for your reply.
>
> 1. This site is a dictionary:
> - Windows users often enter a "\" in place of "/"
> - Rarely there are "\" in the phrases
I think what you're looking for is this...
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security <https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>
If you set it to true, it should allow '%2F' and '%5C' in your URL.
This has security implications though. Please read the following link
for CVE-2007-0450.
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
<https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
Dan
On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
>> Dear Users,
>>
>> Tomcat 7.0.39.
>>
>> I have problem with the following url in firefox 20:
>> http://dictzone.com/english-german-dictionary/a\ (it resulted in thehttp://dictzone.com/english-german-dictionary/a%5C request).
> Why do you have a "\" on the end of the URL? Is that intentional? Does it work if you remove it?
>
>> It results is an emtpy page.
> What is the HTTP Status code being returned with the request? 4xx? 5xx?
>
>
>> This request don't arrive my servelt / filter codes.
> Please include your servlet mapping from web.xml.
>
>
> Dan
>
>
>> How to fix it?
>>
>> Regards,
>> Ferenc
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail:users-help@tomcat.apache.org
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail:users-help@tomcat.apache.org
>
>
Re: backslash URL encoding
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On May 8, 2013, at 9:09 AM, Lutischán Ferenc wrote:
> Dear Dan,
>
> Thank for your reply.
>
> 1. This site is a dictionary:
> - Windows users often enter a "\" in place of "/"
> - Rarely there are "\" in the phrases
I think what you're looking for is this…
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security
If you set it to true, it should allow '%2F' and '%5C' in your URL.
This has security implications though. Please read the following link for CVE-2007-0450.
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
Dan
>
> 2. The returned status code is: 400 Bad Request
>
> 3. Mappings:
> <servlet>
> <servlet-name>index</servlet-name>
> <servlet-class>com.ys.dictzone.Index</servlet-class>
> </servlet>
> <servlet-mapping>
> <servlet-name>index</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
> <servlet-name>error404</servlet-name>
> <url-pattern>/error404</url-pattern>
> </servlet-mapping>
> <servlet-mapping>
> <servlet-name>error500</servlet-name>
> <url-pattern>/error500</url-pattern>
> </servlet-mapping>
> <filter>
> <filter-name>SimpleCachingHeadersPageCachingFilter</filter-name>
> <filter-class>com.ys.cache.GzipCachingFilter</filter-class>
> <init-param>
> <param-name>suppressStackTrace</param-name>
> <param-value>false</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>SimpleCachingHeadersPageCachingFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> Regards,
> Ferenc
>
>
> 2013.05.08. 14:53 keltezéssel, Daniel Mikusa írta:
>> On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
>>
>>> Dear Users,
>>>
>>> Tomcat 7.0.39.
>>>
>>> I have problem with the following url in firefox 20:
>>> http://dictzone.com/english-german-dictionary/a\ (it resulted in the http://dictzone.com/english-german-dictionary/a%5C request).
>> Why do you have a "\" on the end of the URL? Is that intentional? Does it work if you remove it?
>>
>>> It results is an emtpy page.
>> What is the HTTP Status code being returned with the request? 4xx? 5xx?
>>
>>
>>> This request don't arrive my servelt / filter codes.
>> Please include your servlet mapping from web.xml.
>>
>>
>> Dan
>>
>>
>>> How to fix it?
>>>
>>> Regards,
>>> Ferenc
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: backslash URL encoding
Posted by Lutischán Ferenc <lu...@gmail.com>.
Dear Dan,
Thank for your reply.
1. This site is a dictionary:
- Windows users often enter a "\" in place of "/"
- Rarely there are "\" in the phrases
2. The returned status code is: 400 Bad Request
3. Mappings:
<servlet>
<servlet-name>index</servlet-name>
<servlet-class>com.ys.dictzone.Index</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>index</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>error404</servlet-name>
<url-pattern>/error404</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>error500</servlet-name>
<url-pattern>/error500</url-pattern>
</servlet-mapping>
<filter>
<filter-name>SimpleCachingHeadersPageCachingFilter</filter-name>
<filter-class>com.ys.cache.GzipCachingFilter</filter-class>
<init-param>
<param-name>suppressStackTrace</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SimpleCachingHeadersPageCachingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Regards,
Ferenc
2013.05.08. 14:53 keltezéssel, Daniel Mikusa írta:
> On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
>
>> Dear Users,
>>
>> Tomcat 7.0.39.
>>
>> I have problem with the following url in firefox 20:
>> http://dictzone.com/english-german-dictionary/a\ (it resulted in the http://dictzone.com/english-german-dictionary/a%5C request).
> Why do you have a "\" on the end of the URL? Is that intentional? Does it work if you remove it?
>
>> It results is an emtpy page.
> What is the HTTP Status code being returned with the request? 4xx? 5xx?
>
>
>> This request don't arrive my servelt / filter codes.
> Please include your servlet mapping from web.xml.
>
>
> Dan
>
>
>> How to fix it?
>>
>> Regards,
>> Ferenc
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: backslash URL encoding
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
> Dear Users,
>
> Tomcat 7.0.39.
>
> I have problem with the following url in firefox 20:
> http://dictzone.com/english-german-dictionary/a\ (it resulted in the http://dictzone.com/english-german-dictionary/a%5C request).
Why do you have a "\" on the end of the URL? Is that intentional? Does it work if you remove it?
>
> It results is an emtpy page.
What is the HTTP Status code being returned with the request? 4xx? 5xx?
> This request don't arrive my servelt / filter codes.
Please include your servlet mapping from web.xml.
Dan
>
> How to fix it?
>
> Regards,
> Ferenc
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org