tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Saegesser" <>
Subject RE: URI handling in tomcat 3.2.3
Date Thu, 13 Sep 2001 17:48:50 GMT

I agree with you.  These encoded characters should be allowed in URIs and
disallowing them is a hack.  Like I said, I think the approach sucks.  We
were faced with a very serious security problem that had to be addressed
very quickly and the decision was made that it was better to forbid certain
'odd' URIs in order to guarantee that resources that the specification
*requires* to be protected were indeed protected.  We need to look into how
to solve the security problems without forbidden valid URIs, but right now
I'm about the only one around paying much attention to the tomcat_32 branch
so I don't know what kind of time frame wold be involved to get this
changed.  I do know that the solution will not be trivial.

I mentioned Apache httpd only to show that our approach to this problem is
in-line with that taken by other industry leading products.  We should not
(and I think have not) blindly follow httpd (it does a few other things that
disagree with).

Patches or discussion on how to go about fixing this are certainly welcome!

Marc Saegesser

> -----Original Message-----
> From: Lars Oppermann []
> Sent: Thursday, September 13, 2001 9:23 AM
> To:
> Subject: Re: URI handling in tomcat 3.2.3
> Hi Marc,
> Thanks for you reply...
> Marc Saegesser wrote:
> > I agree that this URI handling sucks.  I'm the one that
> > committed the change that made it happen and I still
> > think it sucks.  However, allowing these encoded characters
> > opens some very large security problems.
>  From what I understand, these security problems are all related to
> mapping URIs to filesystem paths. So how do you feel about doing this
> processing in the filesystem (default) servlet?
> > Also, even if TC 3.2.x allowed these characters, the resulting URL
> > wouldn't be portable because several other web servers impose the
> > same restrictions.
> > [400 with Apache 1.3.19]
> I think, if it is possible to do this in a better way while keeping up
> the protection there is no reason for copying the behaviour of httpd.
> However, if those security implications can not be handled in the file
> servlet like I mentioned before, I'd need to do some more thinking on
> this point.
> > If you need to pass this sort of data to a servlet (or CGI) the most
> > portable way is to simply use a query string.
> Yes, that sounds like a straight-forward solution. Unfortunatly the
> service that gets excuted here will access some document and return an
> html representation. This document contains relative references within
> the hierarchy represented by the 'wrapped' URI. for this to work with a
> browser, the request URI has to be used, because the client can not
> resolve relative references inside a query (why should it)
> I belive that there are many more use-cases where using URIs to
> represent hierachical names that do not map to files is desirable,
> espacialy in a servlet environment.
> In httpd, which's main work consists of serving file-system resources
> this might be viewed differently
> Cheers,
> Lars
> --
> ----------------------------------------------------------------------
> Lars Oppermann <>               Sun Microsystems
> Software Engineer - Sun ONE Webtop                       Sachsenfeld 4
> Phone: +49 40 23646 959                                D-20097 Hamburg
> Fax:   +49 40 23646 550            

View raw message