Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 1360 invoked from network); 1 Aug 2010 09:06:23 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 1 Aug 2010 09:06:23 -0000 Received: (qmail 63939 invoked by uid 500); 1 Aug 2010 09:06:20 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 63445 invoked by uid 500); 1 Aug 2010 09:06:15 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 63434 invoked by uid 99); 1 Aug 2010 09:06:14 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Aug 2010 09:06:14 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [193.252.22.192] (HELO smtp6.freeserve.com) (193.252.22.192) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Aug 2010 09:06:05 +0000 Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3622.me.freeserve.com (SMTP Server) with ESMTP id 476C37000082 for ; Sun, 1 Aug 2010 11:05:45 +0200 (CEST) Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3622.me.freeserve.com (SMTP Server) with ESMTP id 3B521700008F for ; Sun, 1 Aug 2010 11:05:45 +0200 (CEST) Received: from mail.homeinbox.net (unknown [91.109.166.185]) by mwinf3622.me.freeserve.com (SMTP Server) with ESMTP id EF22A7000082 for ; Sun, 1 Aug 2010 11:05:44 +0200 (CEST) X-ME-UUID: 20100801090544979.EF22A7000082@mwinf3622.me.freeserve.com Received: from localhost (localhost [127.0.0.1]) by mail.homeinbox.net (Postfix) with ESMTP id 7ED7632F83 for ; Sun, 1 Aug 2010 10:06:04 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from mail.homeinbox.net ([127.0.0.1]) by localhost (mail.homeinbox.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwTODUrS3rLO for ; Sun, 1 Aug 2010 10:05:58 +0100 (BST) Received: from [192.168.0.9] (study03.dev.local [192.168.0.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.homeinbox.net (Postfix) with ESMTPSA id 6481F32F7F for ; Sun, 1 Aug 2010 10:05:58 +0100 (BST) Message-ID: <4C5538DB.1070305@apache.org> Date: Sun, 01 Aug 2010 10:05:31 +0100 From: Mark Thomas User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.7) Gecko/20100713 Thunderbird/3.1.1 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: UTF-8 encoding in Tomcat 6.0 References: <180882.95892.qm@web62101.mail.re1.yahoo.com> In-Reply-To: <180882.95892.qm@web62101.mail.re1.yahoo.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 31/07/2010 17:34, arun kumar wrote: > > I ran my example webapp on a standalone tomcat and the behavior was the same: > When the param is being sent using GET, I need to send the param as %25xx for it to be read correctly > When the method is PUT, %xx works fine. Then something in your setup is badly broken, evidenced by the fact you have to encode the % as %25 to get things to work. > I believe this is a known issue with Tomcat: I remember reading this on many forums. I believe this is the same behavior that Erik reports. This is absolutely *not* a Tomcat problem. Tomcat does not behave the way you describe. A clean Tomcat install with no other components (reverse proxy etc) using the test encoding JSP from the wiki [1] works correctly with POST and GET (if URIEncoding="UTF-8" is used). > Sorry Mark - i did not get what you said. Could you please elaborate? Decoding is happening twice. i.e.: %25xx -> %xx %xx -> whatever character Tomcat absolutely, 100% does not do this. Either your test application is doing it or there is another component - such as a reverse proxy - in the mix that is doing a second decoding. This represents a significant security risks. Issues caused by double decoding in the past include: - XSS - source code disclosure - authentication bypass - directory traversal It does not mean that these issues will be present, but double decoding has been the cause of all of these - and probably more - at various points in the past. The details will depend on system configuration but seeing an issue like this is certainly indicative that there may well be a problem. Mark [1] http://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q4 > Regards > Arun > > --- On Sat, 7/31/10, Mark Thomas wrote: > >> From: Mark Thomas >> Subject: Re: UTF-8 encoding in Tomcat 6.0 >> To: "Tomcat Users List" >> Date: Saturday, July 31, 2010, 12:18 PM >> On 31/07/2010 15:40, arun kumar >> wrote: >>> Hi Erik >>> Thanks very much for your responses. >>> I can assure that i'm interested in this topic even >> now :). >>> >>> My scenario is this: >>> >>> 1. I use a web application that runs in JBOSS. >>> >>> 2. JBOSS uses a tomcat web container from what i can >> see. >>> >>> 3. To my application if i pass a UTF-8 encoded value >> in hex e.g: >>> >> http://://param=%xx... >>> >>> Then %xx is not decoded properly. I initially used to >> send the request with a mozilla browser but later started >> sending it with a java program as well with the same >> results. >>> >>> I tried setting the URI Encoding parameters in the >> tomcat server.xml - with no success. >>> I then set a filter to specifically set the encoding >> to utf-8 - again with no luck - behavior was exactly the >> same. >>> >>> But when i sent the param as %25xx ( %25= hex value of >> the % character), it worked fine but i suspect that the >> string gets stored in ISO 8859 format - like you say: it >> gets mangled... >> >> That smells of double-decoding which as well as breaking >> your app is >> also a security risk. I have seen this when a reverse proxy >> is in the mix. >> >> Tomcat will *not* do this on its own. >> >> Mark >> >> >> >>> I wrote a standalone web application that showed the >> same behavior. >>> I haven't tried with a standalone tomcat. >>> >>> I know that we need to take care of the encodings at >> various points but how can i rule out a problem with >> my web container configuration settings? Or can it be a >> problem coming from the web container itself? >>> >>> Thanks and regards >>> Arun >>> >>> >>> --- On Fri, 7/30/10, Erik Bunn >> wrote: >>> >>>> From: Erik Bunn >>>> Subject: Re: UTF-8 encoding in Tomcat 6.0 >>>> To: "Tomcat Users List" >>>> Date: Friday, July 30, 2010, 1:55 PM >>>> On 7/30/10 6:33 PM, Christopher >>>> Schultz wrote: >>>> >>>>> If all you want to do is set the character >> encoding, >>>> you can easily call >>>>> setCharacterEncoding and be done with it: >> subclassing >>>> and overriding >>>>> should not be necessary at all, otherwise >> nobody would >>>> have written one >>>>> of these: >>>> >>>> No, I have other reasons to mess there. >> Nevertheless, >>>> adding a filter is >>>> probably less iffy, thanks for pointing that out. >> TC7 >>>> provides a suitable >>>> example: >>>> >> .../webapps/examples/WEB-INF/classes/filters/SetCharacterEncodingFilter.java >>>> >>>>> Tomcat versions before 7.x had an option in >>>> the which could >>>>> be used to set the request URI encoding to >> that of the >>>> Content-Type of >>>>> the request (useBodyEncodingForURI) and >> another option >>>> for explicitly >>>>> and unconditionally setting the encoding to be >> used >>>> for URI decoding >>>>> (URIEncoding). I haven't read-up on Tomcat 7 >>>> behavior. >>>> >>>> 7.x Connector has the exact same options. I'll >> restate, >>>> though, that setting >>>> the Connector URIEncoding in TC7.x won't currently >> help >>>> when decoding GET >>>> parameters in a no-content-type case - without the >> filter, >>>> they will be >>>> mangled as ISO-8859-1. If this is different from >> previous >>>> behaviour, maybe I >>>> should report a bug. >>>> >>>> Thanks, >>>> //e >>>> >>>> >>>> >> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>> For additional commands, e-mail: users-help@tomcat.apache.org >>> >>> >>> >>> >>> >> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org