[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-1033) Interoperability issue when using escaped slash/backslash in URLs
[ https://issues.oasis-open.org/browse/ODATA-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65656#comment-65656 ] Ralf Handl commented on ODATA-1033: ----------------------------------- Unfortunately this collides with the current cast rule #2 - Primitive types are cast to Edm.String or a type definition based on it by using the literal representation used in payloads See http://docs.oasis-open.org/odata/odata/v4.01/csprd01/part2-url-conventions/odata-v4.01-csprd01-part2-url-conventions.html#_Toc470093674 This implies that GET Categories?$filter=ID eq binary'Q29tZWR5L011c2ljYWw=' is already allowed and equivalent to omitting the binary prefix: GET Categories?$filter=ID eq 'Q29tZWR5L011c2ljYWw='. As an alternative we could add a "decode" or "base64urldecode" function GET Categories?$filter=ID eq decode(binary'Q29tZWR5L011c2ljYWw=') Or we just break the current cast rule #2 > Interoperability issue when using escaped slash/backslash in URLs > ----------------------------------------------------------------- > > Key: ODATA-1033 > URL: https://issues.oasis-open.org/browse/ODATA-1033 > Project: OASIS Open Data Protocol (OData) TC > Issue Type: Improvement > Components: URL Conventions > Affects Versions: V4.0_OS > Environment: Proposed > Reporter: Evan Ireland > Assignee: Ralf Handl > Priority: Minor > Fix For: V4.01_CSD02 > > > We have encountered issues with Tomcat servers handling %-encoded slashes (and backslashes) in URLs. In particular, even when getting URL using HttpServletRequest.getRequestURI (which shouldn't do URL decoding) a percent-encoded backslash (e.g. in a quoted string within the URL) will appear in the result of getRequestURI as a forward slash. > Now Tomcat apparently offers an option to permit this, but... > According to http://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7 > *Do not enable non-standard parsing of the URI. Disabled by default, but still in the application for backwards compatibility reasons are two system properties, org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH, that allow non-standard parsing of the URI. These properties significantly improve your chances of a directory traversal attack and are therefore strongly recommended to avoid using.* > If correct handling of URLs requires the use of web server configurations that are strongly recommended against for security reasons, we might want to consider what recommendations/accommodations should be made in the OData specification to ensure end-to-end interoperability of strings containing 'special' characters. -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]