tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@gopivotal.com>
Subject Re: backslash URL encoding
Date Thu, 09 May 2013 19:25:24 GMT
On May 9, 2013, at 11:05 AM, Lutischán Ferenc wrote:

> Dear Dan,
> 
> Thanks for your suggestion.
> I tried it, but it didn't work for me (Tomcat started with parameter: -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true).
> In my tomcat log:
> 127.0.0.1 - - [09/May/2013:15:34:54 +0200] "GET /angol-magyar-szotar/w%5C HTTP/1.1" 400
-

My fault, I think that you need this option as well.

-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

I tried setting both to true and it worked for me.

Dan

> Regards,
>    Ferenc
> 
> > Dear Dan,
> >
> > Thank for your reply.
> >
> > 1. This site is a dictionary:
> > - Windows users often enter a "\" in place of "/"
> > - Rarely there are "\" in the phrases
> 
> I think what you're looking for is this...
> 
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
> 
> https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security <https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>
> 
> If you set it to true, it should allow '%2F' and '%5C' in your URL.
> 
> This has security implications though.  Please read the following link for CVE-2007-0450.
> 
> https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 <https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
> 
> Dan
> 
> On May 8, 2013, at 9:09 AM, Lutischán Ferenc wrote:
> 
> > Dear Dan,
> >
> > Thank for your reply.
> >
> > 1. This site is a dictionary:
> > - Windows users often enter a "\" in place of "/"
> > - Rarely there are "\" in the phrases
> 
> I think what you're looking for is this...
> 
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
> 
> https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security <https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>
> 
> If you set it to true, it should allow '%2F' and '%5C' in your URL.
> 
> This has security implications though.  Please read the following link for CVE-2007-0450.
> 
> https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 <https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>
> 
> Dan
> 
> On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
>>> Dear Users,
>>> 
>>> Tomcat 7.0.39.
>>> 
>>> I have problem with the following url in firefox 20:
>>> http://dictzone.com/english-german-dictionary/a\  (it resulted in thehttp://dictzone.com/english-german-dictionary/a%5C
 request).
>> Why do you have a "\" on the end of the URL?  Is that intentional?  Does it work
if you remove it?
>> 
>>> It results is an emtpy page.
>> What is the HTTP Status code being returned with the request?  4xx?  5xx?
>> 
>> 
>>> This request don't arrive my servelt / filter codes.
>> Please include your servlet mapping from web.xml.
>> 
>> 
>> Dan
>> 
>> 
>>> How to fix it?
>>> 
>>> Regards,
>>>     Ferenc
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail:users-help@tomcat.apache.org
>>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail:users-help@tomcat.apache.org
>> 
>> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message