[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [servlet-dev] Path Parameters
|
- From: Mark Thomas <markt@xxxxxxxxxx>
- Date: Wed, 17 Feb 2021 12:47:04 +0000
- Autocrypt: addr=markt@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmXpqtOJKKw W2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t6RZBq2dJsYKF0CEh 6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6KGH59oysn1NE7a2a+kZzjBSEg v23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz4yvDOZItqDURP24zWOodxgboldV6Y88C 3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7MUVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJ tgXmcUwq31T1+SlXdYjNJ1aFkUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4j yHb8k8vxi6qT6Udnlcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/8 2oPbzzFiGFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8 Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+7XBvM1lvz3+UarLfgSVmW8aheLd7eaIl5ItBk 8844ZJ60LrQ+JiIqvqJemxyIM6epoZvY5a3ZshZpcLilC5hW8QARAQABtCJNYXJrIEUgRCBU aG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+iQI3BBMBCgAhBQJKtA7pAhsDBQsJCAcDBRUKCQgL BRYCAwEAAh4BAheAAAoJEBDAHFovYFnn2YgQAKN6FLG/I1Ij3PUlC/XNlhasQxPeE3w2Ovtt weOQPYkblJ9nHtGH5pNqG2/qoGShlpI04jJy9GxWKOo7NV4v7M0mbVlCXVgjdlvMFWdL7lno cggwJAFejQcYlVtxyhu4m50LBvBunEhxCbQcKnnWmkB7Ocm0Ictaqjc9rCc1F/aNhVMUpJ0z G1kyTp9hxvN6TbCQlacMx5ocTWzL0zn6QZhbUfrYwfxYJmSnkVYZOYzXIXIsLN5sJ9Q4P8tj Y4qWgd+bQvOqPWrkzL9LVRnGOrSYIsoM5zWdoj1g1glMzK/ZqJdRqqqBhe6FYTbXipz8oX8i mCebcaxZnfLhGiqqX+yDa3YUwDiqom+sZOc0iXGvKkqltPLpNeF0MVT7aZjalsQ/v2Ysb24R Ql9FfjfWmvT8ZPWz8Kore1AI4UcIIgFVtM+zuLlL9CIsGjg+gHDE2dhZDY0qfizlHL9CoAWU DM3pIfxM2V4BRn1xO+j/mModhjmYLZvnFVz4KGkNO7wRkofAANIWYo3WI5x83BGDH371t3NR rrpSSFP0XpQX6/Leaj2j6U6puABL2qBxhscsO6chc3u4/+019ff+peZVsc9ttcTQXsKIujmM b8p2sk5usmv6PKVX3oW/RAxpbVHU5kZ5px1Hq7mMQdZfLs5ff4YymXBH02z4/RmSzPam0Xb5 uQINBEq0DukBEADCNEkws5YroBmbu8789Xf006gTl5LzD/Hdt3sAp9iCfPgucO+l7U+xbo1X HTMJQwEVfS+Rx3RbaLYRG+hU7FuJLQB/5NaCDNRuqw5KHyQtJUH+zo84IqqfMzG8aOSdHg1y r2xKH4QTmgQONBu/W0xEZmZro6TjYNwkk2pwXK2yuImZPUOy+mK1qF8Wm3hTtkPE+FFSNFIa eHDoTGmx/0Riu/K7dNJTrC0TlRpn2K6d60zB53YYTc+0DYSDyB0FupXiAx/+XEGn3Q7eNi2B V6w50v5r51QP8zptiFflMfFKNAfV8xS5MteQd98YS5qqd/LPo3gS5HFPQaSL0k3RTClv7fQN HcZFqmv0OWpix6zm2npYxhqsTDGeSa52/uXehVXF5JubYFifMSLpbGVZqdrmG5hr2cycxsjF iY0zJOaRitmN/JWbOGLiwrcN4ukKNyFntFG5jPaFnJdx9rHfyJNeF9cgv9JlZeFxJ6WqIAhl KOuH3K8/py0SPE6ZOFfRo0YUxvh25K/siOcPLm613aOxyY7YfQ8ME2vgn7I0mAtg9am+YFDa bGqj839odwZdzZv2T2mUHnybFTJFBuMWGWKYstYDS6eZEmhupbPvUKkDug/mO+gdo+pSKF9Y S6DM5RtCdTNJq4NZY50ypBb5RSj+INHPocIp2V/DDTbzySsu6wARAQABiQIfBBgBCgAJBQJK tA7pAhsMAAoJEBDAHFovYFnnLe0P/i34oK5cE2LlqUEITEcTO94x1EX0UmtKokRfQ3AYWK8X eFD8cmSty72hMkL+1c0V//4Qc53SUyLIWXk8FKWF7hdL3zyuBqlRb55721CYC35GA/jR90p0 k1vr701gaat2cNTOVC0/6H9cE5yYXT+zMr9TSiKCDwONhhSbmAJZc6X0fgsmCD7I5xUI5Vri hN/Wx0CZBtrXGUyE4hgFaYSGptZmkY5Ln1e+nI185Bda7bpLwcAIGrI9nYtVXgf71ybGKdPP tFfXIoPXuctn99M7NnWBhNuGDms2YWkOC7eeWBTxKkZDWR3vRmRy52B6GxR7USk/KXs7yqGP kfT/c4CZFfOurZUXXuC3PvOme0DQmqwExtJormoG4Fy6suEFPrfhYMigTy7kSbVTCOBMjQLH +U/FFNshvg9+M/ZvaKT+0lpRvBSuG5ngsC0bO0xWsXhb6qfH2h53g4VcwFvCBL5IfqgAeUbC nGGHNcGWpmwdeb7D7ahrNZSHEUUYR7lTbjkYS01/QDOcEwNZOqDRIJUQOOUq35721VeROkdh ZmMZtFlsQeQJsWoqGrQo/kEYicVlMVOgjmOOzOa5fRb/IqlGlBn4a4me3hWthLLtMy+OOEim 6ENjntVTBQiTP/YqrxWDbCkaD7b2e9wY5N3JlRxMIQHfcHaND3PRdQSn7oHYXmJl
- Delivered-to: servlet-dev@xxxxxxxxxxx
- List-archive: <https://www.eclipse.org/mailman/private/servlet-dev/>
- List-help: <mailto:servlet-dev-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=unsubscribe>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
On 17/02/2021 12:16, Greg Wilkins wrote:
> On Wed, 17 Feb 2021 at 12:28, Mark Thomas <markt@xxxxxxxxxx
> <mailto:markt@xxxxxxxxxx>> wrote:
>
> On 12/02/2021 17:11, Greg Wilkins wrote:
> > So this gives us two problems. Firstly I now cannot find any current
> > specification of HTTP URL path parameters and how they should be
> > parsed. So I think the servlet spec could be relying on the
> > grandfathered definition from RFC2396. IS this true? Does
> anybody know
> > of a current specification for them?
>
> I'm not aware of anything better than the references you have provided.
>
>
> Then I think we need to probably note in future specs we are using an
> obsoleted RFC to define what they are. I'll ask contacts in IETF if
> there is any process to get path parameters formalized there.
Ack
> > In Jetty, we already handle ambiguous URIs like/foo/%2e%2e/bar with a
> > 400 and intend to do the same with /foo/..;/bar and /foo/%2f/bar. How
> > do the other container handle such URIs?
>
> In Tomcat we process URIs with the following sequence:
> - separate the query string (if any)
> - parse the path parameters (we are only interested in jsessionid or
> equivalent) and remove them from the URI
> - %nn decode the URI
> - normalize the URI
> - map the URI to virtual host, web app, filters, security constraints,
> servlet etc.
>
>
> That is also how Jetty has done it until recently. Specifically decode
> and then normalize.
>
> However, that is not compliant with RFC 3986 which says that
> normalization should happen before decoding.
Where does it say that? I just looked through all the references to
normalization and couldn't find it.
> That is all fine if you
> remember the segment boundaries so that segments like "%2e%2e", "%2f"
> and "..;" would be seen as decoded segments after normalization of "..",
> "/" and "..".
My reading of section 2.2 is that reserved characters should not be %nn
decoded prior to normalization.
> But we don't remember segment boundaries and put them
> all back into a string, so following the RFC of normalize and then
> decode means that information is thrown away and those segments are now
> ambiguous.
>
> Our plan is to now to follow the RFC and then 400 any requests that have
> such segments, but have a compliance mode for apps that want to work on
> the raw URI.
>
> I don't think that is a huge difference to what Tomcat is doing, other
> than for a URI like "/foo/%2e%2e/bar". Jetty will 400 such requests
> unless it is the compliance mode, in which case the path of
> "/foo/../bar" will be passed the application (which will have to have
> it's big boy pants on and look at the raw URI). I think Tomcat will
> handle that as "/bar"?
For that specific example, yes.
> Jetty used to do that, but we had problems with
> intermediaries putting constraints on "/foo/*"
Arguably an issue with the intermediary for that specific example but
there are other examples such as "/..;/" where there would be an issue
that wasn't the intermediary's fault.
>
> Given all of the above when receiving a request of the form
> "/foo;v=1/bar" there were several ways to handle it:
>
>
> No disagreement on the handling of that one. Spec is clear that we strip
> path params and treat it as "/foo/bar". It is only when the docoded
> segment is ".", ".." or includes "/" that I think there is a problem.
>
>
> The downside with approach 3 is that when used behind a reverse proxy,
> and depending on how the reverse proxy does the request mapping, it may
> be possible to bypass path based security constraints defined in the
> reverse proxy. If the reverse proxy is using path matching as a security
> control, URIs containing "/..;/" may bypass that control. The Tomcat
> provided proxy modules (mod_jk, ISAPI redirector) map requests using the
> same algorithm as Tomcat to avoid this potential issue.
>
>
> Using the same algorithm is key to avoiding security problems. Given
> that the RFCs are very poor in this area then perhaps the servlet spec
> needs to specify the algorithm we expect to be applied?
I think the Servlet spec is the place to be more explicit about this.
This has been on my radar for a while:
https://github.com/eclipse-ee4j/servlet-api/issues/18
It would be great to get this into servlet.next.
Mark
