tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@gopivotal.com>
Subject Re: backslash URL encoding
Date Wed, 08 May 2013 13:56:46 GMT
On May 8, 2013, at 9:09 AM, Lutischán Ferenc wrote:

> Dear Dan,
> 
> Thank for your reply.
> 
> 1. This site is a dictionary:
> - Windows users often enter a "\" in place of "/"
> - Rarely there are "\" in the phrases

I think what you're looking for is this…

  org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

        https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security

If you set it to true, it should allow '%2F' and '%5C' in your URL.

This has security implications though.  Please read the following link for CVE-2007-0450.

 https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10

Dan


> 
> 2. The returned status code is: 400 Bad Request
> 
> 3. Mappings:
>    <servlet>
>        <servlet-name>index</servlet-name>
> <servlet-class>com.ys.dictzone.Index</servlet-class>
>    </servlet>
>    <servlet-mapping>
>        <servlet-name>index</servlet-name>
>        <url-pattern>/*</url-pattern>
>    </servlet-mapping>
>    <servlet-mapping>
>        <servlet-name>error404</servlet-name>
>        <url-pattern>/error404</url-pattern>
>    </servlet-mapping>
>    <servlet-mapping>
>        <servlet-name>error500</servlet-name>
>        <url-pattern>/error500</url-pattern>
>    </servlet-mapping>
>    <filter>
> <filter-name>SimpleCachingHeadersPageCachingFilter</filter-name>
> <filter-class>com.ys.cache.GzipCachingFilter</filter-class>
>        <init-param>
> <param-name>suppressStackTrace</param-name>
>            <param-value>false</param-value>
>        </init-param>
>    </filter>
>    <filter-mapping>
> <filter-name>SimpleCachingHeadersPageCachingFilter</filter-name>
>        <url-pattern>/*</url-pattern>
>    </filter-mapping>
> 
> Regards,
>      Ferenc
> 
> 
> 2013.05.08. 14:53 keltezéssel, Daniel Mikusa írta:
>> On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
>> 
>>> Dear Users,
>>> 
>>> Tomcat 7.0.39.
>>> 
>>> I have problem with the following url in firefox 20:
>>> http://dictzone.com/english-german-dictionary/a\ (it resulted in the http://dictzone.com/english-german-dictionary/a%5C
request).
>> Why do you have a "\" on the end of the URL?  Is that intentional?  Does it work
if you remove it?
>> 
>>> It results is an emtpy page.
>> What is the HTTP Status code being returned with the request?  4xx?  5xx?
>> 
>> 
>>> This request don't arrive my servelt / filter codes.
>> Please include your servlet mapping from web.xml.
>> 
>> 
>> Dan
>> 
>> 
>>> How to fix it?
>>> 
>>> Regards,
>>>     Ferenc
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message