Re: [jetty-dev] http 400 Ambiguous URI path encoding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-dev] http 400 Ambiguous URI path encoding

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Sun, 25 Jul 2021 08:40:36 -0500
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

Sounds like you are still on the legacy uri compliance mode.

Switch to UriCompliance.RFC3986 and it should behave as you want.

On Sun, Jul 25, 2021 at 3:32 AM <paul.palaszewski@xxxxxxxxxxxxxxx> wrote:

Hi,

we get that error with the jetty 10.0.6 for the URL /pics/303318_100%25rPET%20Delicontainer_md-12.jpg

OK, the filename contains a % .. but according to my understanding of rfc3986 that’s ok as long as it’s encoded. At least it was for the last 25+ years.
jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java line 1210+ does this ambiguous check … I can understand, that you were trying to limit uncommon and bad requests .. but I think, this time you overreacted in the wrong place. For me, this issue has two dimensions:
Did you really want to drop support for % in filenames?
Is it now common sense, that web clients are not allowed anymore to encode things that don’t have to be encoded?? In that regard, I would also doubt that encoding a / should cause a bad request.

It does not improve security – for a security check, you first need to decode the path and then check, if it’s allowed to access it. 99% of those checks should happen within jetty, you should have no problem checking that in the right place. For the remaining 1% it might help to improve the documentation, but I doubt that that will make any difference.

Please don’t hesitate to correct me, if I’m wrong.

Regards,
Paul

BDM Business Data Management GmbH
Ing. Paul Palaszewski
Geschäftsführer
Mobil: +43 650 37 36 030
E-Mail: paul.palaszewski@xxxxxxxxxxxxxxx

Gödelgasse 8/184
1100 Wien
Firmenbuch: FN 242059w, Handelsgericht Wien
UID: ATU57685758

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev

References:
- [jetty-dev] http 400 Ambiguous URI path encoding
  - From: paul.palaszewski

Prev by Date: [jetty-dev] http 400 Ambiguous URI path encoding
Next by Date: Re: [jetty-dev] http 400 Ambiguous URI path encoding
Previous by thread: [jetty-dev] http 400 Ambiguous URI path encoding
Next by thread: Re: [jetty-dev] http 400 Ambiguous URI path encoding
Index(es):
- Date
- Thread

Breadcrumbs