You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@wink.apache.org by "BK Lau (JIRA)" <ji...@apache.org> on 2013/04/03 16:41:15 UTC

[jira] [Closed] (WINK-361) Wink cannot resolved URI path segments that have encoded forward slashes

     [ https://issues.apache.org/jira/browse/WINK-361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

BK Lau closed WINK-361.
-----------------------

    Resolution: Not A Problem

The issue is verified to be related to Tomcat security fix:

Quote:
Important: Directory traversal CVE-2007-0450 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450

Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/\../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.

The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false
Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.

Affects: 6.0.0-6.0.9


Resolved by setting System property -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
                
> Wink cannot resolved URI  path segments that have encoded forward slashes
> -------------------------------------------------------------------------
>
>                 Key: WINK-361
>                 URL: https://issues.apache.org/jira/browse/WINK-361
>             Project: Wink
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 1.1.3
>         Environment: Any
>            Reporter: BK Lau
>            Priority: Blocker
>              Labels: Encoding, URI, forward, slashes
>
> Wink cannot resolve URI that have encoded forward slashes in them.
> Example: Consider the URI:
> /servers/{server}
> If the URI template parameter {server}  is "http://abc.com:8000", 
> one would get "404- Not Found" because of the "//" slashes

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira