OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] (ODATA-1033) Interoperability issue when using escaped slash/backslash in URLs


    [ https://issues.oasis-open.org/browse/ODATA-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65739#comment-65739 ] 

Evan Ireland commented on ODATA-1033:
-------------------------------------

Would appreciate a comment from Microsoft as to whether the .NET client HTTP API's special handling of %-encoded '/' (i.e. replacing it with unencoded '/' in the request path) will ever be fixed, or if it considered warranted as a long-term security precaution.


> Interoperability issue when using escaped slash/backslash in URLs
> -----------------------------------------------------------------
>
>                 Key: ODATA-1033
>                 URL: https://issues.oasis-open.org/browse/ODATA-1033
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: Improvement
>          Components: URL Conventions
>    Affects Versions: V4.0_OS
>         Environment: Proposed
>            Reporter: Evan Ireland
>            Assignee: Ralf Handl
>            Priority: Minor
>             Fix For: V4.01_CSD02
>
>
> We have encountered issues with Tomcat servers handling %-encoded slashes (and backslashes) in URLs. In particular, even when getting URL using HttpServletRequest.getRequestURI (which shouldn't do URL decoding) a percent-encoded backslash (e.g. in a quoted string within the URL) will appear in the result of getRequestURI as a forward slash.
> Now Tomcat apparently offers an option to permit this, but...
> According to http://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7
> *Do not enable non-standard parsing of the URI. Disabled by default, but still in the application for backwards compatibility reasons are two system properties, org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH, that allow non-standard parsing of the URI. These properties significantly improve your chances of a directory traversal attack and are therefore strongly recommended to avoid using.*
> If correct handling of URLs requires the use of web server configurations that are strongly recommended against for security reasons, we might want to consider what recommendations/accommodations should be made in the OData specification to ensure end-to-end interoperability of strings containing 'special' characters.



--
This message was sent by Atlassian JIRA
(v6.2.2#6258)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]