infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Thomas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-16760) Jenkins api access: malformed url
Date Wed, 01 Aug 2018 08:32:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-16760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16564957#comment-16564957
] 

Mark Thomas commented on INFRA-16760:
-------------------------------------

As per RFC 7230 and RFC 3986 '[' and ']' must be %nn encoded if used in an HTTP URI.

As a result of a security vulnerability report, Apache Tomcat has been tightening up on the
validation of the request line. By default, Tomcat aims to reject any request line that does
not conform to the RFCs.

The correct fix for this issue is to ensure that the client complies with the RFCs and %nn
encodes '[' and ']'.

Note that none of the popular browsers follow the RFCs. Further, those browser vendors that
have been approached regarding this issue have refused to follow the RFCs. The browser vendors
claim to follow their own, more relaxed specification although testing [1] has shown that
the behaviour is not consistent between any of the popular browsers.

Primarily due to the refusal of the browser vendors to follow the RFCs, Tomcat has added configuration
options for the Connector element in server.xml to relax the validation of the request target.
The relevant attributes as relaxedPathChars and relaxedQueryChars. If the user agent in question
is a browser then you'll need to use something like:

<Connector ... relaxedQueryChars="[]" />

If the user agent in question is not a browser then I'd suggest raising a bug against the
user agent in the first instance to request that it follows the RFCs and %nn encodes '[' and
']' as well as any other characters that require %nn encoding.

[1] https://cwiki.apache.org/confluence/display/TOMCAT/Encoding+and+URIs

> Jenkins api access: malformed url
> ---------------------------------
>
>                 Key: INFRA-16760
>                 URL: https://issues.apache.org/jira/browse/INFRA-16760
>             Project: Infrastructure
>          Issue Type: Bug
>          Components: Jenkins
>            Reporter: Zoltan Haindrich
>            Assignee: Gavin
>            Priority: Major
>
> I've been using an remote access query to keep track of the build queue...
> Today I've started getting back 400-s for request like:
> https://builds.apache.org/queue/api/xml?tree=items[actions[causes[userId],parameters[name,value]],task[name],id,inQueueSince]
> it seems like somehow jenkins is returning errors for all api calls which contain '['
and ']' braces.
> Even the sample on this(https://builds.apache.org/queue/api/) page doesn't work; namely:
> https://builds.apache.org/queue/api/xml?tree=jobs[name],views[name,jobs[name]]
> note: copy the links manually because jira was not able the detect them correctly



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message