Am 24.09.2020 um 12:02 schrieb Nils Breunese:
Hello,
I recently learned that when a server that supports path parameters [0] — like
Tomcat (I found Jetty also does) — is run behind a reverse proxy that does
path-based access control checks and does not support path parameters, your
combined setup could be vulnerable.
Consider this setup:
1. A Tomcat application without access restrictions
2. An reverse proxy that only allows requests to /v1/* on the Tomcat
application. I’ve used Envoy on Kubernetes, configured via Istio’s Role-Based
Access Control (RBAC), but also observed this issue with other proxies.
Now I send a request for /v1/..;color=red/internal/secret to the proxy.
- Envoy allows the request based on the /v1/* rule, because it does not support
path parameters, because they are not part of any recent standard (RFC 2396
dropped them in 1998 [1])
> ...
That is very misleading.
RFC 2396 *extended* path parameters to be applicable to each path
segment, see
<https://greenbytes.de/tech/webdav/rfc2396.html#rfc.section.3.3>.
RFC 3986 further generalized things (see last paragraph of
<https://www.greenbytes.de/tech/webdav/rfc3986.html#rfc.section.3.3>).
They have not been "dropped".
Best regards, Julian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
