Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jetty-12 EE10 handling of %2F as Alias #8462

Closed
gregw opened this issue Aug 15, 2022 · 4 comments
Closed

Jetty-12 EE10 handling of %2F as Alias #8462

gregw opened this issue Aug 15, 2022 · 4 comments
Assignees
@lorban
Labels
Bug For general bugs on Jetty side Security

Comments

@gregw
Copy link
Contributor

gregw commented Aug 15, 2022

Jetty version(s)
jetty-12 ee10

Description

The org.eclipse.jetty.ee10.webapp.WebAppContextTest#testProtectedTarget has some important use-cases commented out with regards to handling of %2F
@gregw gregw added Bug For general bugs on Jetty side High Priority Security jetty 12 labels Aug 15, 2022
@gregw
Copy link
Contributor Author

gregw commented Aug 15, 2022

The new behaviour of servlet 6.0 allows a servletPath and/or pathInfo to contain a %2F as an encoded / character.

For example, a request to /WEB-INF%2Ftest.xml is currently resolving to a Resource with:

path=/home/gregwilkins/src/jetty-12/jetty-ee10/jetty-ee10-webapp/src/test/webapp/WEB-INF/test.xml
uri=file:/home/gregwilkins/src/jetty-12/jetty-ee10/jetty-ee10-webapp/src/test/webapp/WEB-INF%2Ftest.xml
alias=null

So this has been resolved incorrectly. Either the path should be for the (probably) non-existent WEB-INF%2Ftest.xml OR if it does resolve to WEB-INF/test.xml then is should be seen as an alias for that.

gregw added a commit that referenced this issue Aug 15, 2022
@gregw
Work around for #8462 ee10 handling of %2F
edba0c3 
This is a provisional workaround for #8462 that fixes the bugs in URIUtil that were preventing encoded %2F being seen as an alias.

However, the better ultimate fix would be to see an encoded request as a request for a path segment that includes %2F.
@gregw
Copy link
Contributor Author

gregw commented Aug 15, 2022

Commit edba0c3 "fixes" this issue by fixing a big in URIUtil that prevented the resource from being seen as an alias.
However, a real fix should involve allowing an encoded %2F to be used to select a resource that actually has an encoded / in the filename? So I'm leaving this open for now.

@joakime
Copy link
Contributor

joakime commented Aug 15, 2022

Commit edba0c3 broke the org.eclipse.jetty.util.resource.FileSystemResourceTest.testAccessUniCodeFile test.
Looking into it now.

@lorban lorban mentioned this issue Sep 2, 2022
Merged
@olamy olamy moved this to To do in Jetty 12.0.ALPHAS Sep 7, 2022
joakime added a commit that referenced this issue Sep 8, 2022
@joakime
Issue #8462 - Adding testcase to prove out behavior
3d1150f
joakime added a commit that referenced this issue Sep 9, 2022
@joakime
Merge pull request #8574 from eclipse/fix/jetty-12-resource-access-pc…
3ce3026 
…t-2f

Issue #8462 - Jetty 12 - Adding testcase to prove out "%2F" access behavior in ee10 mode
@olamy olamy mentioned this issue Dec 26, 2022
Merged
@joakime
Copy link
Contributor

joakime commented Jan 25, 2023

Closing, as we have plenty of test cases for this now in Jetty-12

@joakime joakime closed this as completed Jan 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lorban lorban

Labels
Bug For general bugs on Jetty side Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gregw @joakime @lorban