OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

bdxr-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [bdxr-comment] OASIS SMP Identifiers - proposal of disallowing the slash and backslash characters

Dear Maarten and Pawel,

 

First of all, thank you for your input to the SMP specification. I will put your comment on the agenda for our next TC meeting, which is scheduled for Wednesday May 10 (next week).

 

Just to clarify: I understand that your comment/request is for implementation in future versions of the SMP specification, and not for the current public review ending on May 14. Please clarify if this is not the case.

 

Best regards,

 

Kenneth

 

 

From: <bdxr-comment@lists.oasis-open.org> on behalf of "Maarten.DANIELS@ext.ec.europa.eu" <Maarten.DANIELS@ext.ec.europa.eu>
Date: Wednesday, May 3, 2017 at 7:27 AM
To: "bdxr-comment@lists.oasis-open.org" <bdxr-comment@lists.oasis-open.org>
Subject: [bdxr-comment] OASIS SMP Identifiers - proposal of disallowing the slash and backslash characters

 

Dear BDXR technical committee,

 

We would like to submit a change request to the OASIS SMP specifications.

 

In short, we propose to disallow the slash "/" and backslash "\" characters in the OASIS SMP Identifiers.

 

Please find below the more detailed technical background behind our proposal.

 

In general the OASIS SMP specifications give full freedom for characters used in Participant and Document Identifiers – the only rule is that any special characters must be URL-encoded.

So as for now, slash and backslash chars are allowed if they are url-encoded into: %2F and %5C

http://docs.oasis-open.org/bdxr/bdx-smp/v1.0/cos01/bdx-smp-v1.0-cos01.html#_Toc458092050

2.4.3 On the use of percent encoding in URLs

When any type of identifiers are used in URLs, each section between slashes MUST be percent encoded individually, i.e. section by section.

For example, this implies that for an URL in the form of «/{identifier scheme}::{id}/services/{docType}», the slash literals MUST NOT be URL encoded.

 

Participant and Document Identifiers are transferred as request's URL Parameters.

Many web servers and libraries (i.e.: Tomcat, SpringSecurity, etc.) by default forbid using encoded slash characters in URL parameters.

This is done for security reasons, as this could open the "Directory Traversal Vulnerability":

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450

 

As you see, implementing the OASIS's SMP specifications strictly requires (in best case) to apply a non-standard and less secure configuration to webservers, application libraries and/or reverse-proxies.

In worst case it might open the above mentioned vulnerability.

 

Kind regards,

 

Pawel Gutowski and Maarten Daniels,

CEF eDelivery team

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]