You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/04/28 11:45:03 UTC
DO NOT REPLY [Bug 51132] New: Semicolon
https://issues.apache.org/bugzilla/show_bug.cgi?id=51132
Summary: Semicolon
Product: Tomcat 7
Version: 7.0.12
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: mmsssmm1@gmail.com
Created an attachment (id=26941)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26941)
nginx and tomcat's access log and some screenshots
sometimes we use the nginx for load balancing. when send a GET request to
http://127.0.0.1/g/..;/examples/
the nginx will not process "..;/" contained in the request URL,and forward the
request to the real http server such as tomcat or resin.
if the url contains semicolon ";" ,resin will show a message like that "The
request contains an illegal URL.".but tomcat will ignore the semicolon,and
response the resource that we requested.
the problem is if nginx has a rule that just forward request URL which start
with /g/ then the URL "/g/../examples/" would not be forwarded to tomcat; but
the URL like this one "/g/..;/examples/" ,nginx will forward the request and
tomcat will treat it as normal URL,then the examples will be accessed.
we don't hope that the tomcat response the resource which is not allowed;
the attachment contains the nginx and tomcat's log and some screenshot;
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51132] it would ignore the semicolon which
contained in the request url
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51132
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-04-30 19:00:30 UTC ---
This took a little digging and some discussion with some httpd folks who are
more familiar with the specs that I am but the conclusion is that Tomcat's
behaviour is correct.
rfc3986 defines dot segments as exactly ".." or ".". This means "..;" is not a
dot segment. Further rfc3986 states that interpretation of path parameters is
an application concern. Therefore, nginx is correctly normalising when ".." is
present and correctly forwarding "..;" to the application.
rfc2616 does not add anything in this case beyond what is in rfc3986.
The Servlet specification states that path parameters are ignored when mapping
requests. Therefore "..;" gets treated ".." for mapping purposes meaning
"/g/..;/examples" gets treated as "/g/../examples" for mapping which is
normalised to "/examples".
Resin's error response is not specification compliant.
Tomcat is correctly serving the examples context in this case.
This issue is a good example of why relying solely on the mappings of a reverse
proxy to deny access to a particular context is likely to be insecure. Due to
the impossibility to guarantee that all URLs are handled by Tomcat as they are
in proxy servers, Tomcat should always be secured as if no proxy restricting
context access was used.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51132] it would ignore the semicolon which
contained in the request url
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51132
daniel <mm...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Semicolon |it would ignore the
| |semicolon which contained
| |in the request url
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org