OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

bdxr message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (BDXR-11) Disallowing slash and backslash characters

    [ https://issues.oasis-open.org/browse/BDXR-11?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67667#comment-67667 ] 

Erlend Klakegg Bergheim commented on BDXR-11:

Should we use questionmark as delimiter in SMP?

> Disallowing slash and backslash characters
> ------------------------------------------
>                 Key: BDXR-11
>                 URL: https://issues.oasis-open.org/browse/BDXR-11
>             Project: OASIS Business Document Exchange (BDXR) TC
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: SMP 2.0
>            Reporter: Erlend Klakegg Bergheim
>            Priority: Minor
> From https://lists.oasis-open.org/archives/bdxr-comment/201705/msg00000.html
> Dear BDXR technical committee,
> We would like to submit a change request to the OASIS SMP specifications.
> In short, we propose to disallow the slash "/" and backslash "\" characters in the OASIS SMP Identifiers.
> Please find below the more detailed technical background behind our proposal.
> In general the OASIS SMP specifications give full freedom for characters used in Participant and Document Identifiers – the only rule is that any special characters must be URL-encoded.
> So as for now, slash and backslash chars are allowed if they are url-encoded into: %2F and %5C
> http://docs.oasis-open.org/bdxr/bdx-smp/v1.0/cos01/bdx-smp-v1.0-cos01.html#_Toc458092050
> 2.4.3 On the use of percent encoding in URLs
> When any type of identifiers are used in URLs, each section between slashes MUST be percent encoded individually, i.e. section by section.
> For example, this implies that for an URL in the form of «/{identifier scheme}::{id}/services/{docType}», the slash literals MUST NOT be URL encoded.
> Participant and Document Identifiers are transferred as request's URL Parameters.
> Many web servers and libraries (i.e.: Tomcat, SpringSecurity, etc.) by default forbid using encoded slash characters in URL parameters.
> This is done for security reasons, as this could open the "Directory Traversal Vulnerability":
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
> As you see, implementing the OASIS's SMP specifications strictly requires (in best case) to apply a non-standard and less secure configuration to webservers, application libraries and/or reverse-proxies.
> In worst case it might open the above mentioned vulnerability.
> Kind regards,
> Pawel Gutowski and Maarten Daniels,
> CEF eDelivery team

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]