OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (ODATA-1033) Interoperability issue when using escaped slash/backslash in URLs

    [ https://issues.oasis-open.org/browse/ODATA-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65760#comment-65760 ] 

Evan Ireland commented on ODATA-1033:

Mike commented:

    "Could add verbage to caution against use of slash/backslash in key values."

Unfortunately this issue also affects FunctionImport parameters, and although it might seem to be reasonable to discourage use of slashes in keys, it isn't reasonable for function parameters.

Should service authors be forced to define functions as actions to workaround this issue?

> Interoperability issue when using escaped slash/backslash in URLs
> -----------------------------------------------------------------
>                 Key: ODATA-1033
>                 URL: https://issues.oasis-open.org/browse/ODATA-1033
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: Improvement
>          Components: URL Conventions
>    Affects Versions: V4.0_OS
>         Environment: Proposed
>            Reporter: Evan Ireland
>            Assignee: Ralf Handl
>            Priority: Minor
>             Fix For: V4.01_CSD02
> We have encountered issues with Tomcat servers handling %-encoded slashes (and backslashes) in URLs. In particular, even when getting URL using HttpServletRequest.getRequestURI (which shouldn't do URL decoding) a percent-encoded backslash (e.g. in a quoted string within the URL) will appear in the result of getRequestURI as a forward slash.
> Now Tomcat apparently offers an option to permit this, but...
> According to http://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7
> *Do not enable non-standard parsing of the URI. Disabled by default, but still in the application for backwards compatibility reasons are two system properties, org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH, that allow non-standard parsing of the URI. These properties significantly improve your chances of a directory traversal attack and are therefore strongly recommended to avoid using.*
> If correct handling of URLs requires the use of web server configurations that are strongly recommended against for security reasons, we might want to consider what recommendations/accommodations should be made in the OData specification to ensure end-to-end interoperability of strings containing 'special' characters.

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]