-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security-proxy: Allow semicolons in URLs #2636
Conversation
security-proxy/src/main/webapp/WEB-INF/applicationContext-security.xml
Outdated
Show resolved
Hide resolved
security-proxy/src/main/webapp/WEB-INF/applicationContext-security.xml
Outdated
Show resolved
Hide resolved
In general, proxied applications are discouraged to disclose jsessionid this way, and shall use a cookie instead. | ||
Some applications like CKAN though can't be modified to use cookies, hence this configuration. | ||
--> | ||
<property name="allowSemicolon" value="true"/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would find it useful to have this setting configurable from the datadir, with a default value set to false
.
Platforms using CKAN would have to switch it to true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds doable, let me see
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See 26cfc9a and georchestra/datadir#162
4a7a079
to
8c96818
Compare
Configure org.springframework.security.web.firewall.StrictHttpFirewall" with allowSemicolon = true to avoid errors like 'the request was rejected because the URL contained a potentially malicious String ";"' ";" in URL's come in the form http://<domain>/<path>;jsessionid=xxxx OR in static resource URLs (e.g to reference bundles of JS files (minified on the fly)). In general, proxied applications are discouraged to disclose jsessionid this way, and shall use a cookie instead. Some applications like though can't be modified to use cookies, hence this configuration.
Excellent, thanks ! |
This should also be ported back to 19.04 |
Would it be possible to also allow |
where have you encountered such urls ? |
georchestra/cadastrapp@db5b008 & georchestra/cadastrapp@42a01a1 from georchestra/cadastrapp#445 among others, but this can cause issues for generated links in geoserver or geonetwork (ie interlinks between md & layer, when the url is generated by some code -> this sometimes has I know i had to fix/remove some slashes here and there in the geor datadir to account for this change |
Ok, it's in the path, not in the arguments, so it would be somewhere else |
i was having broken extent thumbnails on a metadata view, because the url generated by geonetwork looked like https://ids.craig.fr/geocat/srv//fre/region.getmap.png?... -> double-slash triggered a 500 code with the sec-proxy firewall. Looking at upstream repo and after digging a good while to find out where the html was generated, if we want to fix it on 19.04 geonetwork/core-geonetwork@05836b4 should be cherry-picked on top of |
Configure org.springframework.security.web.firewall.StrictHttpFirewall"
with allowSemicolon = true to avoid errors
like 'the request was rejected because the URL contained a potentially malicious String ";"'
";" in URL's come in the form http:///;jsessionid=xxxx
In general, proxied applications are discouraged to disclose jsessionid this way,
and shall use a cookie instead.
Some applications like CKAN though can't be modified to use cookies, hence this configuration.