Task #2451
Bug #2449: knb unicode identifier create and get failures
trailing backslash in url rejected by knb web server
100%
Description
Test 8: Error: get : common-unicode-ascii-escaped-tomcatBlocked-\
Test 9: OK : : common-unicode-ascii-escaped-tomcatBlocked-%5C
tests 8, returns a non-dataone http status "400: BadRequest", with no associated message.
First suspect should be tomcat configuration
History
#1 Updated by Ben Leinfelder almost 13 years ago
- Assignee set to Ben Leinfelder
Is this documented? SInce it requires specific configuration of Tomcat and not something we can control in Metacat code, it makes it very difficult for us to guarantee that this test will pass for all deployments of Metacat that we do not have control over. I reconfigured my local Tomcat and was able to use backslashes.
See: http://tomcat.apache.org/security-6.html
The pertinent details form that page:
Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.
The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false
Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.
Affects: 6.0.0-6.0.9
#2 Updated by Robert Waltz almost 13 years ago
On the CNs, it was necessary for the addition of the following lines to catalina.properties
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true
in order to allow pids with encoded slashes to be correctly interpreted by the D1 endpoints.
#3 Updated by Ben Leinfelder almost 13 years ago
- Status changed from New to Closed
Added to Metacat documentation.
Verified that it is in the cn-buildout.
Set the options on DEMO1-4