Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect path traversal in assets (and other) services #8981

Closed
rymsha opened this issue Jul 29, 2021 · 1 comment
Closed

Incorrect path traversal in assets (and other) services #8981

rymsha opened this issue Jul 29, 2021 · 1 comment
Assignees
@rymsha
Labels
Bug Security Fix for something unsafe
Projects
Bugs
Milestone
7.7.2

Comments

@rymsha
Copy link
Contributor

rymsha commented Jul 29, 2021
edited

Use Servlet provided PathInfo. It is normalized already.
Use most strict compliance mode.
http.compliance = RFC7230 should allow to switch back to less strict mode.
@rymsha rymsha added Bug Security Fix for something unsafe labels Jul 29, 2021
@rymsha rymsha added this to the 7.7.2 milestone Jul 29, 2021
@rymsha rymsha self-assigned this Jul 29, 2021
@rymsha rymsha added this to Needs triage in Bugs via automation Jul 29, 2021
@rymsha rymsha moved this from Needs triage to High priority in Bugs Jul 29, 2021
rymsha added a commit that referenced this issue Jul 29, 2021
@rymsha
Path traversal in assets (and other) services #8981
77b4a56
@rymsha rymsha mentioned this issue Jul 29, 2021
Closed
rymsha added a commit that referenced this issue Jul 29, 2021
@rymsha
Path traversal in assets (and other) services #8981
54fef08
rymsha added a commit that referenced this issue Jul 30, 2021
@rymsha
Path traversal in assets (and other) services #8981
7f209d2 
(cherry picked from commit 54fef08)
rymsha added a commit that referenced this issue Jul 30, 2021
@rymsha
Path traversal in assets (and other) services #8981
b300e21 
(cherry picked from commit 54fef08)
@rymsha
Copy link
Contributor Author

rymsha commented Jul 30, 2021

The idea is that our servlets are mapped to /: RequestURI and PathInfo point to the same location. But PathInfo is decoded and normalized, while requestURI is not.
in XP requestURI is later decoded, but not normalized. It leads to problems.

It is also incorrectly decoded as url-form-encoded (basically erroneously converting + into )

Switching from RequestURI to PathInfo eliminates the need for decoding and normalization: Jetty does it for us.

Since path decoding is also ambiguous, Jetty introduced configuration - to fine-tune reaction on ambiguous paths. XP making it as strict as possible in the fix - any ambiguity result in 400 (future Jetty versions have strict mode enabled by default, too)

@rymsha rymsha moved this from High priority to Closed in Bugs Aug 9, 2021
anatol-sialitski pushed a commit that referenced this issue Aug 23, 2021
@rymsha @anatol-sialitski
Path traversal in assets (and other) services #8981
becde99
@alansemenov alansemenov changed the title Path traversal in assets (and other) services Incorrect path traversal in assets (and other) services Nov 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rymsha rymsha

Labels
Bug Security Fix for something unsafe
Projects
No open projects
Bugs
Closed
Milestone
7.7.2
Development

No branches or pull requests
2 participants
@rymsha @alansemenov