New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grizzly-http silently fails when encoded backslashes are included in the URI #2028
Comments
In summary - actual behavior is that encoded backslashes throw an error in the best case and expected behavior is that encoded backslashes would be included in the path components. |
Looking at it more closely, it appears that decoding the URI in |
GlassFish I also came across this issue too. I have URIs with encoded JSON which have Strings with My Solution
Everything I Tried With GlassFish <jvm-options>-Dcom.sun.grizzly.util.http.HttpRequestURIDecoder.ALLOW_ENCODED_BACKSLASH=true</jvm-options>
<jvm-options>-Dcom.sun.grizzly.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</jvm-options>
<jvm-options>-Dorg.glassfish.grizzly.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</jvm-options> and also tried adding this to <http encoded-slash-enabled="true" ...> and also tried via the ./asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.encoded-slash-enabled=true
./asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.encoded-backslash-enabled=true Still nothing worked. So I decided to debug and realized why it was never going to work. Here's the relevant code: package org.glassfish.grizzly.http.util;
public class HttpRequestURIDecoder {
protected static final boolean ALLOW_BACKSLASH = false;
...
if (... == '\\') {
if (ALLOW_BACKSLASH) {
... = '/'; // replace with forward slash
} else {
return false;
}
} So in my case it fails since backslashes aren't allowed, but best case scenario (still bad), it gets converted to a forward slash and won't be picked up by the correct handler (path no longer matches). Interestingly, I come across issue 1233, which proposed this patch from |
I would also love too see this fix implemented. It's an extremely simple fix so I should not be a lot of work. |
If it's simple how about raising a PR? |
smilidge, as I'm not a contributor, would you be so kind to create it? |
Anybody with an ECA on file can raise a PR. I'm not a committer on this project. |
The bug is, as originally described by @xonev, that Grizzly harms the following rule of RFC 3986: It would be great if some Grizzly expert would chime in and fix (a), as I suppose (b) is a different topic. |
I don't have full steps to reproduce because the way our application is configured is somewhat complicated, but I do know that the problem lies in
HttpRequestURIDecoder::normalizeBytes
(andnormalizeChars
) - see here.Essentially, since the URI is normalized after the URI decoding happens, you have a case where an encoded backslash (
%5C
) is converted to a forward slash or thenormalizeBytes
method returnsfalse
and then grizzly silently swallows an error (unless you have logging set toFINE
) before returning a 500 response.In fact, the whole idea of decoding before the path has been broken up into components seems completely backwards, since any encoded forward slashes (
%2F
) will be decoded and then subsequently treated as normal slashes, which they should not be. Unless, of course, you have encoded forward slashes disabled, which I understand was implemented to plug a security hole that I am guessing was caused by decoding the URI before breaking up the path into its components.The text was updated successfully, but these errors were encountered: