https://bz.apache.org/bugzilla/show_bug.cgi?id=62459
Bug ID: 62459
Summary: mod_jk: Forwarding URLs containing escaped slashes
(e.g. for REST services) fail with syntactical-wrong
double-escaping
Product: Tomcat Connectors
Version: 1.2.42
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_jk
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
The RFC defines that it's not forbidden to use a slash ('/') itself within the
entity payload of a path element of an URL, but this have to be encoded in the
well known manner ("%2F").
One (like us) will need the feature for an implementation of REST-Service.
For reasons of security, one have to enable the processing of slash as a
allowed character of the URL, one have explicit to enable this inside a VHost
of the Apache httpd, first. This option is named 'AllowEncodedSlashes'. With
the default ('Off'), an URL containing an encoded slash will be rejected (with
an RC 404). A value of "On" will allow the processing, but the incoming '%2F'
will be unescaped with no care of the semantic, which is pointless if it's
inside a path element. The value "NoDecode" will allow "%2F" an keep it
encoded.
Now, it's up to mod_jk to forwarded this URL to the application server. There
are four implemented methods, choosen by '+ForwardURIxxx'. The current default
(since 1.2.24) is called "+ForwardURIProxy" which may be treated as an
successor of the former "ForwardURICompatUnparsed" (1.2.23) and
"ForwardURICompat" (1.2.22)
I think the current "+ForwardURIProxy" is meant to address and solve such
problems. But it don't catch this here. It's said that ["the forwarded URI will
be partially reencoded after processing inside Apache and before forwarding"].
And this will be done without care about the semantic part of the URL. Here,
the precent character of the "saved" representation of the slash (as '%2F')
will be re-encoded as '%25'. This result into forwarding an syntactical wrong
URL containing the string '%252F' to the application server.
As a "unacceptable" workaround, one may use the mode
"+ForwardURICompatUnparsed" for mod_jk. This will advise mod_jk to forward the
original unprocessed copy of the incoming URL instead of the httpd enginge
current representation. This override all other URL processing done so far by
other modules; with other words you can't use any other tooling like
mod_rewrite in this case.
It may be difficult to detect at the code path of mod_jk that some levels
before some code within the httpd have "saved" the escaped slash. But I think
it should be correct by heuristic to *not* encode a percent ('%') if (and only
if) it's followed by the hexdigits '2F' at this place, because there should be
no other source for this as from the httpd option "AllowEncodedSlashes
NoDecode". A correct implementation will take account of the semantic parts of
the URL, the value of this option and will avoid the wrong double-escaping
('%252F') just in the right case.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
