[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (BDXR-11) Disallowing slash and backslash characters
[ https://issues.oasis-open.org/browse/BDXR-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67668#comment-67668 ] Kenneth Bengtsson commented on BDXR-11: --------------------------------------- Just reading through https://tools.ietf.org/html/rfc3986. Is this not already addressed in section 7.3? > Disallowing slash and backslash characters > ------------------------------------------ > > Key: BDXR-11 > URL: https://issues.oasis-open.org/browse/BDXR-11 > Project: OASIS Business Document Exchange (BDXR) TC > Issue Type: Improvement > Components: Documentation > Affects Versions: SMP 2.0 > Reporter: Erlend Klakegg Bergheim > Priority: Minor > > From https://lists.oasis-open.org/archives/bdxr-comment/201705/msg00000.html > Dear BDXR technical committee, > > We would like to submit a change request to the OASIS SMP specifications. > > In short, we propose to disallow the slash "/" and backslash "\" characters in the OASIS SMP Identifiers. > > Please find below the more detailed technical background behind our proposal. > > In general the OASIS SMP specifications give full freedom for characters used in Participant and Document Identifiers – the only rule is that any special characters must be URL-encoded. > So as for now, slash and backslash chars are allowed if they are url-encoded into: %2F and %5C > http://docs.oasis-open.org/bdxr/bdx-smp/v1.0/cos01/bdx-smp-v1.0-cos01.html#_Toc458092050 > 2.4.3 On the use of percent encoding in URLs > When any type of identifiers are used in URLs, each section between slashes MUST be percent encoded individually, i.e. section by section. > For example, this implies that for an URL in the form of «/{identifier scheme}::{id}/services/{docType}», the slash literals MUST NOT be URL encoded. > > Participant and Document Identifiers are transferred as request's URL Parameters. > Many web servers and libraries (i.e.: Tomcat, SpringSecurity, etc.) by default forbid using encoded slash characters in URL parameters. > This is done for security reasons, as this could open the "Directory Traversal Vulnerability": > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 > > As you see, implementing the OASIS's SMP specifications strictly requires (in best case) to apply a non-standard and less secure configuration to webservers, application libraries and/or reverse-proxies. > In worst case it might open the above mentioned vulnerability. > > Kind regards, > > Pawel Gutowski and Maarten Daniels, > CEF eDelivery team -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]