Bug #2449: knb unicode identifier create and get failures
trailing backslash in url rejected by knb web server
Test 8: Error: get : common-unicode-ascii-escaped-tomcatBlocked-\
Test 9: OK : : common-unicode-ascii-escaped-tomcatBlocked-%5C
tests 8, returns a non-dataone http status "400: BadRequest", with no associated message.
First suspect should be tomcat configuration
#1 Updated by Ben Leinfelder over 9 years ago
- Assignee set to Ben Leinfelder
Is this documented? SInce it requires specific configuration of Tomcat and not something we can control in Metacat code, it makes it very difficult for us to guarantee that this test will pass for all deployments of Metacat that we do not have control over. I reconfigured my local Tomcat and was able to use backslashes.
The pertinent details form that page:
Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.
The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):
Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.
#2 Updated by Robert Waltz over 9 years ago
On the CNs, it was necessary for the addition of the following lines to catalina.properties
in order to allow pids with encoded slashes to be correctly interpreted by the D1 endpoints.