[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-1033) Interoperability issue when using escaped slash/backslash in URLs
[ https://issues.oasis-open.org/browse/ODATA-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65465#comment-65465 ]
Ralf Handl edited comment on ODATA-1033 at 3/9/17 12:47 PM:
------------------------------------------------------------
Work-around for .NET client: use parameter alias for key
GET Categories('Comedy/Musical')
-->
GET Categories(ID=@id)?@id='Comedy/Musical'
Problem: supporting parameter aliases is not required even for advanced server compliance level, so it won't always work
Which sort of sums up the problem: any OData-specific encoding that we are going to add now can only be optional for 4.0 clients and services.
If that doesn't concern us, we COULD add an implicit cast rule that allows binary values in place of string values, where the base64url-encoded binary is the UTF-8 representation of the string value:
GET Categories(binary'Q29tZWR5L011c2ljYWw=')
was (Author: handl):
Work-around for .NET client: use parameter alias for key
GET Categories('Comedy/Musical')
-->
GET Categories(ID=@id)?@id='Comedy/Musical'
Problem: supporting parameter aliases is not required even for advanced server compliance level, so it won't always work
Which sort of sums up the problem: any OData-specific encoding that we are going to add now can only be optional for 4.0 clients and services.
> Interoperability issue when using escaped slash/backslash in URLs
> -----------------------------------------------------------------
>
> Key: ODATA-1033
> URL: https://issues.oasis-open.org/browse/ODATA-1033
> Project: OASIS Open Data Protocol (OData) TC
> Issue Type: Improvement
> Components: URL Conventions
> Affects Versions: V4.0_OS
> Reporter: Evan Ireland
> Assignee: Ralf Handl
> Priority: Minor
> Fix For: V4.01_CSD02
>
>
> We have encountered issues with Tomcat servers handling %-encoded slashes (and backslashes) in URLs. In particular, even when getting URL using HttpServletRequest.getRequestURI (which shouldn't do URL decoding) a percent-encoded backslash (e.g. in a quoted string within the URL) will appear in the result of getRequestURI as a forward slash.
> Now Tomcat apparently offers an option to permit this, but...
> According to http://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7
> *Do not enable non-standard parsing of the URI. Disabled by default, but still in the application for backwards compatibility reasons are two system properties, org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH, that allow non-standard parsing of the URI. These properties significantly improve your chances of a directory traversal attack and are therefore strongly recommended to avoid using.*
> If correct handling of URLs requires the use of web server configurations that are strongly recommended against for security reasons, we might want to consider what recommendations/accommodations should be made in the OData specification to ensure end-to-end interoperability of strings containing 'special' characters.
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]