Story #1147
Apache2 blocks escaped "/" in URL paths, although it should not (longstanding bug)
100%
Description
Apache2 is supposed to allow escaped "/" (as %2F), with the AllowEncodedSlashes directive, but thorough research and testing shows that it does not. Opinion in technical forums offers solutions, but they do not work. The apache bug offers a patch for earlier versions, but nothing rolled into their product. Have to assume the bug is unresolved.
Escaped slashes and backslashes in the URI query section do not get blocked, and log analysis shows the calls making it through mod_jk (the connector) to tomcat.
The work needing to be done to implement this approach is:
testing tomcat to make sure it can handle %5C and %2F (escaped backslash and slash) in query sections
modifying the architecture documentation
refactoring the cn_rest controller mapping logic
refactoring d1_libclient_java
refactoring d1_libclient_python
refacotring mn products?
Subtasks
History
#1 Updated by Rob Nahf over 13 years ago
- Position set to 1
#2 Updated by Dave Vieglais over 13 years ago
- Position deleted (
29) - Target version set to Sprint-2010.50
- Position set to 2
#3 Updated by Dave Vieglais over 13 years ago
- Position set to 1
- Position deleted (
2)
#4 Updated by Rob Nahf over 13 years ago
retested apache settings, and found that putting the allowencodedslashes and acceptpathinfo in the cn virtualhost block solved the problem.
#5 Updated by Dave Vieglais over 13 years ago
- Status changed from New to Closed
The RequestURI variable contains the original, undecoded (i.e. still percent encoded) full path. Servlets can parse this to retrieve the uncorrupted path information, and so also any REST parameters contained therein.
See #1162
Closing this as it should be resolved by the implementation described in #1162.
