-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify normalization of methods taking paths #453
Comments
@markt-asf @stuartwdouglas Did we come to a consensus of the best fix for these kind of issues? |
I don't think we had consensus. My expectation is that RequestDispatcher is going to have to decode the path. My reasoning is:
The warning in For the example you above, my response is that applications shouldn't do that as it is passing unsanitized user provided data. Hence why I think the warning should be on all of those methods. If a URL such as the example above was passed to a RequestDispatcher I'd expect it to be decoded, normalized and then mapped using the same rules as we defined for #424. In this case it would get rejected as suspicious unless the suspicious URI checks had been explicitly disabled. Generally, I'd expect the same approach for all of these methods. Decoded the path, normalize it (including making relative paths absolute where relative paths are allowed) using the same rules as #424. |
I think putting the warning on all the methods is a good first step. I'll do a PR. I'm not sure there is a second step that works generally. |
We should probably reopen this as we are getting reports that this clarification in the 6.1 javadoc is incomplete. From https://www.eclipse.org/lists/servlet-dev/msg00634.html
|
I reopened this issue for clarification of
|
Fixed by #580 |
@markt-asf @stuartwdouglas I think we have a bit of a contradiction in
But step 5. of canonicalization in 3.5 is decode! So is this now a decoded string, or an encoded string (as it strangely always was before?) |
You have re-opened the wrong issue. That text was only reformatted by the fix to this issue. The original change was made to address #18. |
After #424 for #18, we need to further clarify how methods that take paths will treat non-normal and/or encoded characters.
An example of an issue could be an application that take pathInfo for a servlet mapped to
/
and uses that to request a resource or request dispatcher. If a URI like/foo/%252e%252e/WEB-INF/web.xml
is received, then that will decode to a pathInfo of/foo/%25%25/WEB-INF/web.xml
. How should that arg be treated by thos methods? Should it be rejected because the method doesn't accept encoded paths? Or should it be decoded and normalized to/WEB-INF/web.xml
, but then rejected because it is not the canonical path?Note that
getRequestDispatcher
allows for relative paths within the docroot, so asking for../foo/file.txt
should be allowed, even though it is not canonical. But should%2e%2e/foo/file.txt
be allowed?The
getResource
method has the following warning:Methods that need clarification are:
The text was updated successfully, but these errors were encountered: