Project

General

Profile

Task #2451

Bug #2449: knb unicode identifier create and get failures

trailing backslash in url rejected by knb web server

Added by Rob Nahf over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ben Leinfelder
Category:
-
Start date:
2012-03-07
Due date:
% Done:

100%

Milestone:
CCI-1.0.0
Product Version:
*
Story Points:
Sprint:

Description

Test 8: Error: get : common-unicode-ascii-escaped-tomcatBlocked-\
Test 9: OK : : common-unicode-ascii-escaped-tomcatBlocked-%5C

tests 8, returns a non-dataone http status "400: BadRequest", with no associated message.

First suspect should be tomcat configuration

History

#1 Updated by Ben Leinfelder over 12 years ago

  • Assignee set to Ben Leinfelder

Is this documented? SInce it requires specific configuration of Tomcat and not something we can control in Metacat code, it makes it very difficult for us to guarantee that this test will pass for all deployments of Metacat that we do not have control over. I reconfigured my local Tomcat and was able to use backslashes.

See: http://tomcat.apache.org/security-6.html
The pertinent details form that page:

Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.
The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false
Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.
Affects: 6.0.0-6.0.9

#2 Updated by Robert Waltz over 12 years ago

On the CNs, it was necessary for the addition of the following lines to catalina.properties

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

in order to allow pids with encoded slashes to be correctly interpreted by the D1 endpoints.

#3 Updated by Ben Leinfelder over 12 years ago

  • Status changed from New to Closed

Added to Metacat documentation.
Verified that it is in the cn-buildout.
Set the options on DEMO1-4

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)