You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/04/28 11:45:03 UTC

DO NOT REPLY [Bug 51132] New: Semicolon

https://issues.apache.org/bugzilla/show_bug.cgi?id=51132

           Summary: Semicolon
           Product: Tomcat 7
           Version: 7.0.12
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: mmsssmm1@gmail.com


Created an attachment (id=26941)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26941)
nginx and tomcat's access log and some screenshots

sometimes we use the nginx for load balancing. when send a GET request to
http://127.0.0.1/g/..;/examples/ 
the nginx will not process "..;/" contained in the request URL,and forward the
request to the real http server such as tomcat or resin.
if the url contains semicolon ";" ,resin will show a message like that "The
request contains an illegal URL.".but tomcat will ignore the semicolon,and
response the resource that we requested.
the problem is if nginx has a rule that just forward request URL which start
with /g/ then the URL "/g/../examples/" would not be forwarded to tomcat; but
the URL like this one "/g/..;/examples/" ,nginx will forward the request and
tomcat will treat it as normal URL,then the examples will be accessed.
we don't hope that the tomcat response the resource which is not allowed;
the attachment contains the nginx and tomcat's log and some screenshot;

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 51132] it would ignore the semicolon which contained in the request url

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51132

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-04-30 19:00:30 UTC ---
This took a little digging and some discussion with some httpd folks who are
more familiar with the specs that I am but the conclusion is that Tomcat's
behaviour is correct.

rfc3986 defines dot segments as exactly ".." or ".". This means "..;" is not a
dot segment. Further rfc3986 states that interpretation of path parameters is
an application concern. Therefore, nginx is correctly normalising when ".." is
present and correctly forwarding "..;" to the application.

rfc2616 does not add anything in this case beyond what is in rfc3986.

The Servlet specification states that path parameters are ignored when mapping
requests. Therefore "..;" gets treated ".." for mapping purposes meaning
"/g/..;/examples" gets treated as "/g/../examples" for mapping which is
normalised to "/examples".

Resin's error response is not specification compliant.

Tomcat is correctly serving the examples context in this case.

This issue is a good example of why relying solely on the mappings of a reverse
proxy to deny access to a particular context is likely to be insecure. Due to
the impossibility to guarantee that all URLs are handled by Tomcat as they are
in proxy servers, Tomcat should always be secured as if no proxy restricting
context access was used.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 51132] it would ignore the semicolon which contained in the request url

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51132

daniel <mm...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Semicolon                   |it would ignore the
                   |                            |semicolon which contained
                   |                            |in the request url

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org