Add UriCompliance rules that follow the HTTP / URI / Servlet specs for illegal & suspicious characters #11495
Assignees
Labels
Bug
For general bugs on Jetty side
Specification
For all industry Specifications (IETF / Servlet / etc)
Comments
joakime
added
Bug
joakime
added a commit
that referenced
this issue
Mar 7, 2024
…ervlet specs for illegal & suspicious characters
joakime
changed the title
joakime
added a commit
that referenced
this issue
Mar 27, 2024
…ervlet specs for illegal & suspicious characters (#11496) * Issue #11495 - Add UriCompliance rules that follow the HTTP / URI / Servlet specs for illegal & suspicious characters * more illegalPathCharacterData test cases * Correcting SUSPICIOUS_PATH_CHARACTERS semantic (encoded and decoded) * Check for illegal and suspicious characters as we are parsing the path. * Only look for ambiguous paths if we know there are dots or encodings. --------- Co-authored-by: gregw <[email protected]>
github-project-automation
bot
moved this from 🏗 In progress
to ✅ Done
in Jetty 12.0.8 - FROZEN
sbordet
pushed a commit
that referenced
this issue
Mar 28, 2024
…ervlet specs for illegal & suspicious characters (#11496) * Issue #11495 - Add UriCompliance rules that follow the HTTP / URI / Servlet specs for illegal & suspicious characters * more illegalPathCharacterData test cases * Correcting SUSPICIOUS_PATH_CHARACTERS semantic (encoded and decoded) * Check for illegal and suspicious characters as we are parsing the path. * Only look for ambiguous paths if we know there are dots or encodings. --------- Co-authored-by: gregw <[email protected]>
afranken
added a commit
to adobe/S3Mock
that referenced
this issue
Apr 28, 2024
This updates Jetty to 12.0.8 where they changed the UriCompliance yet again. We need to use "UNSAFE" now. jetty/jetty.project#11495
This was referenced Apr 28, 2024
afranken
added a commit
to adobe/S3Mock
that referenced
this issue
Apr 28, 2024
This updates Jetty to 12.0.8 where they changed the UriCompliance yet again. We need to use "UNSAFE" now. jetty/jetty.project#11495
MarkEWaite
added a commit
to MarkEWaite/jenkins
that referenced
this issue
Jun 7, 2024
Servlet spec 6.0 requires HTTP 400 when the URI contains suspicious characters https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0.html#uri-path-canonicalization If suspicious sequences are discovered during the prior processing steps, the request must be rejected with a 400 bad request rather than dispatched to the target servlet. Windows absolute path targetTmpPath.toAbsolutePath() includes backslash that is a suspicious character. Included in Jetty 12.0.8 and later. * jetty/jetty.project#11495 * jetty/jetty.project#11496
MarkEWaite
added a commit
to MarkEWaite/jenkins
that referenced
this issue
Jun 7, 2024
Servlet spec 6.0 requires HTTP 400 when the URI contains suspicious characters https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0.html#uri-path-canonicalization If suspicious sequences are discovered during the prior processing steps, the request must be rejected with a 400 bad request rather than dispatched to the target servlet. Windows absolute path targetTmpPath.toAbsolutePath() includes backslash that is a suspicious character. Included in Jetty 12.0.8 and later. * jetty/jetty.project#11495 * jetty/jetty.project#11496
MarkEWaite
added a commit
to MarkEWaite/jenkins
that referenced
this issue
Jun 7, 2024
Servlet spec 6.0 requires HTTP 400 when the URI contains suspicious characters https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0.html#uri-path-canonicalization If suspicious sequences are discovered during the prior processing steps, the request must be rejected with a 400 bad request rather than dispatched to the target servlet. Windows path r.jenkins.getRootDir() includes backslash that is a suspicious character. Included in Jetty 12.0.8 and later. * jetty/jetty.project#11495 * jetty/jetty.project#11496
MarkEWaite
added a commit
to MarkEWaite/jenkins
that referenced
this issue
Jun 13, 2024
Servlet spec 6.0 requires HTTP 400 when the URI contains suspicious characters https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0.html#uri-path-canonicalization If suspicious sequences are discovered during the prior processing steps, the request must be rejected with a 400 bad request rather than dispatched to the target servlet. Windows absolute path targetTmpPath.toAbsolutePath() includes backslash that is a suspicious character. Included in Jetty 12.0.8 and later. * jetty/jetty.project#11495 * jetty/jetty.project#11496
MarkEWaite
added a commit
to MarkEWaite/jenkins
that referenced
this issue
Jun 13, 2024
Servlet spec 6.0 requires HTTP 400 when the URI contains suspicious characters https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0.html#uri-path-canonicalization If suspicious sequences are discovered during the prior processing steps, the request must be rejected with a 400 bad request rather than dispatched to the target servlet. Windows path r.jenkins.getRootDir() includes backslash that is a suspicious character. Included in Jetty 12.0.8 and later. * jetty/jetty.project#11495 * jetty/jetty.project#11496
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jetty version(s)
12.0.7
Jetty Environment
Any (esp ee10)
Java version/vendor
(use: java -version)Any
OS type/version
Any
Description
The URI spec, HTTP spec, and Servlet Spec have rules around what are allowed characters in the Request-Target of an HTTP request, and the path portion of a URI.
We are too permissive with our HttpURI implementation.
Add UriCompliance rule(s) to follow the spec behaviors, but allow those behaviors to be overridden with configuration.
See:
The text was updated successfully, but these errors were encountered: