Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ambiguous URI legacy compliance mode #6001

Closed
gregw opened this issue Feb 23, 2021 · 3 comments · Fixed by #6003
Closed

Ambiguous URI legacy compliance mode #6001

gregw opened this issue Feb 23, 2021 · 3 comments · Fixed by #6003
Assignees

Comments

@gregw
Copy link
Contributor

@gregw gregw commented Feb 23, 2021

Jetty version
9.4.37

Description
Prior to 9.4.37, URIs with segments of %2e%2e we treated as 400 bad requests. However URIs with %2f characters were not.
In 9.4.37 both %2e%2e and %2f are treated as ambiguous and thus as 400 bad requests, unless a compliance mode is set which allows them both.

Thus there is now no compliance mode that preserves the previous behaviour of allowing %2f but forbidding a segment of %2e%2e

We need 3 modes:

  • Allow all ambiguous segments (the app will handle either undecoded path or doesn't care about ambiguity).
  • Legacy mode that allows %2f but not a segment of %2e%2e
  • default mode that both %2f and a segment of %2e%2e are not allowed.
@gregw gregw self-assigned this Feb 23, 2021
@joakime
Copy link
Member

@joakime joakime commented Feb 23, 2021

What if someone wants to allow %2e%2e but not allow %2f ?

how about an individual configuration for each?

  • ambiguous-2f / ambiguous-path-delim
  • ambiguous-2e2e / ambiguous-path-parent
  • ambiguous-2e / ambiguous-path-self

That way people can tweak them accordingly, without the need for complex modes?

gregw added a commit that referenced this issue Feb 24, 2021
…and se… (#6003)

Fix #4275 separate compliance modes for ambiguous URI segments and separators
joakime added a commit that referenced this issue Feb 24, 2021
…-ambiguous-uris

Fix #6001 separate compliance modes for ambiguous URI segments, params and separators
@cstamas
Copy link

@cstamas cstamas commented Feb 26, 2021

FTR, %2f is a MUST for npm registries, as "scoped packages" are using it. With latest Jetty we have now:

GET http://localhost:45071/@scoped%2ftest HTTP/1.1 -> HTTP/1.1 400 Ambiguous segment in URI

Reference: npm/npm#11738

@gregw
Copy link
Contributor Author

@gregw gregw commented Feb 26, 2021

For jetty-9.4.38 we are reverting to the previous behaviour. Specifically:

  • %2f in segments is allowed
  • %2e%2e and variants are allowed.
  • ..; segments are not allowed.

This behaviour can be configured with HttpCompliance and there will is a new predefined HttpCompliance.RFC7230_NO_AMBIGUOUS_URIS mode

For jetty-10 and beyond, the default is changed to disallow all three. It is now configurable in a new UriCompliance class that can be set on HttpConfiguration

gregw added a commit that referenced this issue Mar 2, 2021
* Fix #4275 separate compliance modes for ambiguous URI segments and separators

default modes allows both ambiguous separators and segments, but still forbids ambiguous parameters

Co-authored-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@gregw gregw closed this Mar 22, 2021
denis-yuen added a commit to dockstore/dockstore that referenced this issue Mar 22, 2021
denis-yuen added a commit to dockstore/dockstore that referenced this issue Mar 22, 2021
denis-yuen added a commit to dockstore/dockstore that referenced this issue Mar 23, 2021
* Netty update SEAB-2606 2607 2608 2625 2631 etc
* SEAB-2602 2614 2655 etc
* Address CVE
* dealing with eclipse/jetty.project#6001
@gregw gregw added this to To do in Jetty 9.4.38 via automation Mar 25, 2021
@gregw gregw moved this from To do to Done in Jetty 9.4.38 Mar 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants