Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ambiguous URI legacy compliance mode #6001

Closed
gregw opened this issue Feb 23, 2021 · 3 comments · Fixed by #6003
Closed

Ambiguous URI legacy compliance mode #6001

gregw opened this issue Feb 23, 2021 · 3 comments · Fixed by #6003
Assignees
@gregw
Projects
Jetty 9.4.38

Comments

@gregw
Copy link
Contributor

gregw commented Feb 23, 2021

Jetty version
9.4.37

Description
Prior to 9.4.37, URIs with segments of %2e%2e we treated as 400 bad requests. However URIs with %2f characters were not.
In 9.4.37 both %2e%2e and %2f are treated as ambiguous and thus as 400 bad requests, unless a compliance mode is set which allows them both.

Thus there is now no compliance mode that preserves the previous behaviour of allowing %2f but forbidding a segment of %2e%2e

We need 3 modes:

  • Allow all ambiguous segments (the app will handle either undecoded path or doesn't care about ambiguity).
  • Legacy mode that allows %2f but not a segment of %2e%2e
  • default mode that both %2f and a segment of %2e%2e are not allowed.
@gregw gregw self-assigned this Feb 23, 2021
@joakime
Copy link
Contributor

joakime commented Feb 23, 2021

What if someone wants to allow %2e%2e but not allow %2f ?

how about an individual configuration for each?

  • ambiguous-2f / ambiguous-path-delim
  • ambiguous-2e2e / ambiguous-path-parent
  • ambiguous-2e / ambiguous-path-self

That way people can tweak them accordingly, without the need for complex modes?

@gregw gregw mentioned this issue Feb 23, 2021
Merged
@gregw gregw linked a pull request Feb 23, 2021 that will close this issue
Fix #4275 #6001 separate compliance modes for ambiguous URI segments and se… #6003
Merged
gregw added a commit that referenced this issue Feb 24, 2021
@gregw
Fix #4275 #6001 separate compliance modes for ambiguous URI segments …
49e73df 
…and se… (#6003)

Fix #4275 separate compliance modes for ambiguous URI segments and separators
@gregw gregw mentioned this issue Feb 24, 2021
Merged
joakime added a commit that referenced this issue Feb 24, 2021
@joakime
Merge pull request #6005 from eclipse/jetty-9.4.x-6001-default-accept…
0603b13 
…-ambiguous-uris

Fix #6001 separate compliance modes for ambiguous URI segments, params and separators
@gregw gregw mentioned this issue Feb 24, 2021
Merged
@cstamas
Copy link
Contributor

cstamas commented Feb 26, 2021
edited

FTR, %2f is a MUST for npm registries, as "scoped packages" are using it. With latest Jetty we have now:

GET http://localhost:45071/@scoped%2ftest HTTP/1.1 -> HTTP/1.1 400 Ambiguous segment in URI

Reference: npm/npm#11738

@gregw
Copy link
Contributor Author

gregw commented Feb 26, 2021

For jetty-9.4.38 we are reverting to the previous behaviour. Specifically:

  • %2f in segments is allowed
  • %2e%2e and variants are allowed.
  • ..; segments are not allowed.

This behaviour can be configured with HttpCompliance and there will is a new predefined HttpCompliance.RFC7230_NO_AMBIGUOUS_URIS mode

For jetty-10 and beyond, the default is changed to disallow all three. It is now configurable in a new UriCompliance class that can be set on HttpConfiguration

@daniel-beck daniel-beck mentioned this issue Feb 27, 2021
Merged
10 tasks
@magnolia-k magnolia-k mentioned this issue Feb 27, 2021
Closed
@rbygrave rbygrave mentioned this issue Feb 28, 2021
Closed
gregw added a commit that referenced this issue Mar 2, 2021
@gregw @joakime
URI compliance modes for #6001 (#6006)
06e1a7e 
* Fix #4275 separate compliance modes for ambiguous URI segments and separators

default modes allows both ambiguous separators and segments, but still forbids ambiguous parameters

Co-authored-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
This was referenced Mar 10, 2021
Open
Open
Open
Open
Closed
Open
Open
Open
Closed
Open
Closed
Closed
Closed
Open
Open
Closed
This was referenced Mar 10, 2021
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Closed
Merged
Closed
@gregw gregw closed this as completed Mar 22, 2021
denis-yuen added a commit to dockstore/dockstore that referenced this issue Mar 22, 2021
@denis-yuen
Are we just dealing with jetty/jetty.project#6001 ?
107ebab
denis-yuen added a commit to dockstore/dockstore that referenced this issue Mar 22, 2021
@denis-yuen
Might be dealing with jetty/jetty.project#6001
6a5419f
denis-yuen added a commit to dockstore/dockstore that referenced this issue Mar 23, 2021
@denis-yuen
Feature/snyk round up (#4128)
30272d6 
* Netty update SEAB-2606 2607 2608 2625 2631 etc
* SEAB-2602 2614 2655 etc
* Address CVE
* dealing with jetty/jetty.project#6001
@gregw gregw added this to To do in Jetty 9.4.38 via automation Mar 25, 2021
@gregw gregw moved this from To do to Done in Jetty 9.4.38 Mar 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gregw gregw

Labels
None yet
Projects
No open projects
Jetty 9.4.38
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #4275 #6001 separate compliance modes for ambiguous URI segments and se… jetty/jetty.project
3 participants
@cstamas @gregw @joakime