You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2007/11/02 19:30:40 UTC
Paths containing %2F instead of /
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
One of the unit tests is failing in the securityfilter project which
uses Tomcat (5.5) and httpunit for the tests themselves.
Basically, a test written a loooong time ago seems to be failing after
the fix for a bug which involves decoding of %2F in a URL into a '/'.
Either through mod_jk or directly to Tomcat's HTTP connector, now, any
request that has a / replaced with a %2F will not work. I'm pretty sure
this was a security fix.
I was wondering if anyone could explain what the initial problem was,
why this was "fixed" and if it makes any sense for me to try to fix this
test in any meaningful way, or if it should be simply removed.
(And yes, I have read this:
http://tomcat.apache.org/security-5.html#Fixed in Apache Tomcat 5.5.22,
5.0.SVN. I still don't get it... shouldn't it work properly when using
the HTTP connector?)
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHK2zQ9CaO5/Lv0PARAum6AJ9J6r4TiKN3ZchTShHYfgTCUeq3UwCfX6Rz
tDz5wVwTx6tPdsV7e0YDL54=
=gPM3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Paths containing %2F instead of /
Posted by Rainer Jung <ra...@kippdata.de>.
Very partial answer: for the apache part see
http://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes
By default apache httpd does not allow those requests, and denies them
even before passing over to mod_jk. If allowed, it doesn't decode them.
If you enable them in Apache and want to check, which URL we pass
forward to Tomcat, set JkLogLevel debug and search for "Service". There
is a log line, which gives the URL in exactly the encoding in which
mod_jk forwards it to the backend.
Regards,
Rainer
Christopher Schultz schrieb:
> All,
>
> One of the unit tests is failing in the securityfilter project which
> uses Tomcat (5.5) and httpunit for the tests themselves.
>
> Basically, a test written a loooong time ago seems to be failing after
> the fix for a bug which involves decoding of %2F in a URL into a '/'.
>
> Either through mod_jk or directly to Tomcat's HTTP connector, now, any
> request that has a / replaced with a %2F will not work. I'm pretty sure
> this was a security fix.
>
> I was wondering if anyone could explain what the initial problem was,
> why this was "fixed" and if it makes any sense for me to try to fix this
> test in any meaningful way, or if it should be simply removed.
>
> (And yes, I have read this:
> http://tomcat.apache.org/security-5.html#Fixed in Apache Tomcat 5.5.22,
> 5.0.SVN. I still don't get it... shouldn't it work properly when using
> the HTTP connector?)
>
> Thanks,
> -chris
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Paths containing %2F instead of /
Posted by Rainer Jung <ra...@kippdata.de>.
For the Tomcat part:
Christopher Schultz schrieb:
> All,
>
> One of the unit tests is failing in the securityfilter project which
> uses Tomcat (5.5) and httpunit for the tests themselves.
>
> Basically, a test written a loooong time ago seems to be failing after
> the fix for a bug which involves decoding of %2F in a URL into a '/'.
>
> Either through mod_jk or directly to Tomcat's HTTP connector, now, any
> request that has a / replaced with a %2F will not work. I'm pretty sure
> this was a security fix.
>
> I was wondering if anyone could explain what the initial problem was,
> why this was "fixed" and if it makes any sense for me to try to fix this
> test in any meaningful way, or if it should be simply removed.
>
> (And yes, I have read this:
> http://tomcat.apache.org/security-5.html#Fixed in Apache Tomcat 5.5.22,
> 5.0.SVN. I still don't get it... shouldn't it work properly when using
> the HTTP connector?)
This page says:
-------
Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is
used behind a proxy (including, but not limited to, Apache HTTP server
with mod_proxy and mod_jk) configured to only proxy some contexts, a
HTTP request containing strings like "/\../" may allow attackers to work
around the context restriction of the proxy, and access the non-proxied
contexts.
The following Java system properties have been added to Tomcat to
provide additional control of the handling of path delimiters in URLs
(both options default to false):
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false
Due to the impossibility to guarantee that all URLs are handled by
Tomcat as they are in proxy servers, Tomcat should always be secured as
if no proxy restricting context access was used.
------
and by default both are false, i.e. disallowed. If you need to use such
URLs, you need to set one or both of them to true (as a system property).
> Thanks,
> -chris
HTH
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org