Mark,
On 9/24/20 12:41, Mark Thomas wrote:
> On 24/09/2020 17:28, Christopher Schultz wrote:
>
> <snip/>
>
>> Tomcat will only use path parameters in the final segment of a URL e.g.
>> https://www.example.com/app/servlet;jsessionid=ABCD1234?q=search
>
> Not quite. Tomcat will only *add* the jsessionid at the end but it will
> accept it on any segment.
Good point, but I would expect applications don't generally /move/ that
path parameter for any reason, so a deny rule for such things should
probably be both effective and otherwise benign.
> Internally, Tomcat has an API to access path parameters but it only
> tracks name and value (as that is all that is required to extract
> jsesisonid). It would be trivial to extend it to include path
> information as well.
I hadn't thought of that, but it's obvious when looking at the API. a
change to that API to make it "better" would probably be weird.
Something like this maybe:
URL: /a;x=1/b;y=2/c;z=2;q=4
request.getPathParameter("x") -> "1"
request.getPathParameters() -> [ x=1, y=2, z=2, q=4 ]
request.getPathParameters("/a") -> [ x=1 ]
request.getPathParameters("/a/b") -> [ y=2 ]
request.getPathParameters("/a/b/c") -> [ z=2, q=4 ]
>> Assuming your application doesn't use path-parameters for anything else,
>> you should be able to detect and block any non-terminal path-segment
>> which contains a parameter and simply refuse the request with 400 or
>> something similar.
>
> That is probably the simplest option in this case.
It's what I would do if I (a) wanted to host secret and non-secret stuff
on the same backend server and (b) didn't feel like securing my
application(s).
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
