OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

bdxr message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (BDXR-11) Disallowing slash and backslash characters

Erlend Klakegg Bergheim created BDXR-11:
-------------------------------------------

             Summary: Disallowing slash and backslash characters
                 Key: BDXR-11
                 URL: https://issues.oasis-open.org/browse/BDXR-11
             Project: OASIS Business Document Exchange (BDXR) TC
          Issue Type: Improvement
          Components: Documentation
    Affects Versions: SMP 2.0
            Reporter: Erlend Klakegg Bergheim
            Priority: Minor


From https://lists.oasis-open.org/archives/bdxr-comment/201705/msg00000.html

Dear BDXR technical committee,

 

We would like to submit a change request to the OASIS SMP specifications.

 

In short, we propose to disallow the slash "/" and backslash "\" characters in the OASIS SMP Identifiers.

 

Please find below the more detailed technical background behind our proposal.

 

In general the OASIS SMP specifications give full freedom for characters used in Participant and Document Identifiers – the only rule is that any special characters must be URL-encoded.

So as for now, slash and backslash chars are allowed if they are url-encoded into: %2F and %5C

http://docs.oasis-open.org/bdxr/bdx-smp/v1.0/cos01/bdx-smp-v1.0-cos01.html#_Toc458092050

2.4.3 On the use of percent encoding in URLs

When any type of identifiers are used in URLs, each section between slashes MUST be percent encoded individually, i.e. section by section.

For example, this implies that for an URL in the form of «/{identifier scheme}::{id}/services/{docType}», the slash literals MUST NOT be URL encoded.

 

Participant and Document Identifiers are transferred as request's URL Parameters.

Many web servers and libraries (i.e.: Tomcat, SpringSecurity, etc.) by default forbid using encoded slash characters in URL parameters.

This is done for security reasons, as this could open the "Directory Traversal Vulnerability":

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450

 

As you see, implementing the OASIS's SMP specifications strictly requires (in best case) to apply a non-standard and less secure configuration to webservers, application libraries and/or reverse-proxies.

In worst case it might open the above mentioned vulnerability.

 

Kind regards,

 

Pawel Gutowski and Maarten Daniels,

CEF eDelivery team



--
This message was sent by Atlassian JIRA
(v6.2.2#6258)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]