tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lutischán Ferenc <lutisch...@gmail.com>
Subject Re: backslash URL encoding
Date Thu, 09 May 2013 15:05:25 GMT
Dear Dan,

Thanks for your suggestion.
I tried it, but it didn't work for me (Tomcat started with parameter: 
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true).
In my tomcat log:
127.0.0.1 - - [09/May/2013:15:34:54 +0200] "GET 
/angol-magyar-szotar/w%5C HTTP/1.1" 400 -

Regards,
     Ferenc

 > Dear Dan,
 >
 > Thank for your reply.
 >
 > 1. This site is a dictionary:
 > - Windows users often enter a "\" in place of "/"
 > - Rarely there are "\" in the phrases

I think what you're looking for is this...

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security <https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>

If you set it to true, it should allow '%2F' and '%5C' in your URL.

This has security implications though.  Please read the following link 
for CVE-2007-0450.

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 
<https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>

Dan

On May 8, 2013, at 9:09 AM, Lutischán Ferenc wrote:

 > Dear Dan,
 >
 > Thank for your reply.
 >
 > 1. This site is a dictionary:
 > - Windows users often enter a "\" in place of "/"
 > - Rarely there are "\" in the phrases

I think what you're looking for is this...

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security <https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>

If you set it to true, it should allow '%2F' and '%5C' in your URL.

This has security implications though.  Please read the following link 
for CVE-2007-0450.

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 
<https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>

Dan

On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
>> Dear Users,
>>
>> Tomcat 7.0.39.
>>
>> I have problem with the following url in firefox 20:
>> http://dictzone.com/english-german-dictionary/a\  (it resulted in thehttp://dictzone.com/english-german-dictionary/a%5C
 request).
> Why do you have a "\" on the end of the URL?  Is that intentional?  Does it work if you
remove it?
>
>> It results is an emtpy page.
> What is the HTTP Status code being returned with the request?  4xx?  5xx?
>
>
>> This request don't arrive my servelt / filter codes.
> Please include your servlet mapping from web.xml.
>
>
> Dan
>
>
>> How to fix it?
>>
>> Regards,
>>      Ferenc
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail:users-help@tomcat.apache.org
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail:users-help@tomcat.apache.org
>
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message