Re: Failing to decode the url correctly in tomcat 9.

Mark Thomas Fri, 08 Dec 2023 04:11:33 -0800

On 07/12/2023 22:42, Kalaivani Sengottaiyan wrote:

On Thu, Dec 7, 2023 at 2:34 PM Kalaivani Sengottaiyan <
kalaivani.sengottai...@veeva.com> wrote:

In one of our sample case, this is the url recorded by ngnix

"-" 127.0.0.1 - - [07/Dec/2023:21:59:30 +0000] "GET
/233.0.100?event=autoproc&fn=F%D0%A9%E4%B8%AD%E7%A2%BA%C5%98%C3%86W%C5%A0d%27%C3%9C%CE%94%C3%A1%21%C3%A8%E3%81%AB%EB%AC%B8%C5%84n%C2%B0%C8%99%D0%B4%C4%BE%C3%B3%C3%A1%C3%A5%E0%B8%84%E0%B9%89%C3%A7%D0%B6%C4%90.zip&cksum=1225205368&addparms=Name%7C%7C%7CF%D0%A9%E4%B8%AD%E7%A2%BA%C5%98%C3%86W%C5%A0d%27%C3%9C%CE%94%C3%A1%21%C3%A8%E3%81%AB%EB%AC%B8%C5%84n%C2%B0%C8%99%D0%B4%C4%BE%C3%B3%C3%A1%C3%A5%E0%B8%84%E0%B9%89%C3%A7%D0%B6%C4%90%3B%3B%3B
HTTP/1.1" 200 0 "-" "curl/7.79.1"


When the request is received by the application running within tomcat, url
is decoded as


URL=http://localhost:8080/233.0.100?event=autoproc&fn=F
Щ中確ŘÆWŠd&#39;ÜΔá!èに문ńn°șдľóáåค้çжĐ.zip&cksum=1225205368&addparms=Name|||FЩ中確ŘÆWŠd&#39;ÜΔá!èに문ńn°șдľóáåค้çжĐ;;;



If I decode the fn param in the url, it should
be FЩ中確ŘÆWŠd'ÜΔá!èに문ńn°șдľóáåค้çжĐ.zip rather 
FЩ中確ŘÆWŠd&#39;ÜΔá!èに문ńn°șдľóáåค้çжĐ.zip.
Notice the character after d. It is ' (quote), but tomcat decodes as "39;".
Default LANG is en_US.UTF-8 and connector in conf/server.xml.


why is tomcat not url decoding correctly?

Tomcat is decoding it correctly (I've just tested this with a trivialJSP). Something, NOT tomcat, is HTML escaping the value. Generally, youwant the HTML escpaing because displaying user provided data thatcontains unescaped quotes is likely to expose an XSS vulnerability.


Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Failing to decode the url correctly in tomcat 9.

Reply via email to