Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] http 400 Ambiguous URI path encoding

Sounds like you are still on the legacy uri compliance mode.

Switch to UriCompliance.RFC3986 and it should behave as you want.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Sun, Jul 25, 2021 at 3:32 AM <paul.palaszewski@xxxxxxxxxxxxxxx> wrote:



we get that error with the jetty 10.0.6 for the URL /pics/303318_100%25rPET%20Delicontainer_md-12.jpg


OK, the filename contains a % .. but according to my understanding of rfc3986 that’s ok as long as it’s encoded. At least it was for the last 25+ years.

jetty-http/src/main/java/org/eclipse/jetty/http/ line 1210+ does this ambiguous check … I can understand, that you were trying to limit uncommon and bad requests .. but I think, this time you overreacted in the wrong place. For me, this issue has two dimensions:

  1. Did you really want to drop support for % in filenames?
  2. Is it now common sense, that web clients are not allowed anymore to encode things that don’t have to be encoded?? In that regard, I would also doubt that encoding a / should cause a bad request.


It does not improve security – for a security check, you first need to decode the path and then check, if it’s allowed to access it. 99% of those checks should happen within jetty, you should have no problem checking that in the right place. For the remaining 1% it might help to improve the documentation, but I doubt that that will make any difference.


Please don’t hesitate to correct me, if I’m wrong.





BDM Business Data Management GmbH
Ing. Paul Palaszewski
Mobil: +43 650 37 36 030
E-Mail: paul.palaszewski@xxxxxxxxxxxxxxx

Gödelgasse 8/184

1100 Wien
Firmenbuch: FN 242059w, Handelsgericht Wien
UID: ATU57685758

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.


jetty-dev mailing list
To unsubscribe from this list, visit

Back to the top