OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] (ODATA-1033) Interoperability issue when using escaped slash/backslash in URLs


    [ https://issues.oasis-open.org/browse/ODATA-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65255#comment-65255 ] 

Evan Ireland commented on ODATA-1033:
-------------------------------------

More information on C# (.NET) clients : percent-encoded slash (%2F) or backslash (%5C) in URLs are changed by the .NET client-side framework to unescaped slash if they appear in the request path or the URL, but are not changed if they appear in the query string.

Thus key predicates that include '/' or '\' cannot be expressed by the .NET clients, although they can be used in $filter.



> Interoperability issue when using escaped slash/backslash in URLs
> -----------------------------------------------------------------
>
>                 Key: ODATA-1033
>                 URL: https://issues.oasis-open.org/browse/ODATA-1033
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: Improvement
>          Components: OData URL Conventions
>    Affects Versions: V4.0_OS
>            Reporter: Evan Ireland
>            Priority: Minor
>             Fix For: V4.01_CSD02
>
>
> We have encountered issues with Tomcat servers handling %-encoded slashes (and backslashes) in URLs. In particular, even when getting URL using HttpServletRequest.getRequestURI (which shouldn't do URL decoding) a percent-encoded backslash (e.g. in a quoted string within the URL) will appear in the result of getRequestURI as a forward slash.
> Now Tomcat apparently offers an option to permit this, but...
> According to http://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7
> *Do not enable non-standard parsing of the URI. Disabled by default, but still in the application for backwards compatibility reasons are two system properties, org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH, that allow non-standard parsing of the URI. These properties significantly improve your chances of a directory traversal attack and are therefore strongly recommended to avoid using.*
> If correct handling of URLs requires the use of web server configurations that are strongly recommended against for security reasons, we might want to consider what recommendations/accommodations should be made in the OData specification to ensure end-to-end interoperability of strings containing 'special' characters.



--
This message was sent by Atlassian JIRA
(v6.2.2#6258)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]