On 03/02/2019 21:20, Garret Wilson wrote: > Hi, all. I've stumbled on a situation I need some clarity on. As is > typical, there's all sorts of information floating around, most of it > more than a decade old, with no indication of what the current status is. > > Our team is creating a RESTful API (using JAX-RS implemented by > RESTEasy) to a general semantic framework in which each "thing" is > identified by a URI. (The framework is URF <https://urf.io/>, but that's > a story for another day. It's analogous to RDF.) Basically we want to > issue a GET to https://example.com/{thingURI}/description to get back > info about the "thing". > > If we want to look up the thing identified by > https://example.info/foobar, we would need to issue a request to > https://example.com/https%3A%2F%2Fexample.info%2Ffoobar/description . > That should be completely legal and spec-compliant, and has been since > web time began. > > You no doubt already know the problem: Tomcat won't allow encoded > slashes unless one sets system property > org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH to true. > Apparently this there was a bug somewhere in Tomcat 6 > <https://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities> > (back in 2007!) when used behind a proxy, as Mark explained on Stack > Overflow <https://stackoverflow.com/a/19584499/421049>. Tomcat 6 is > really old, and Mark's Stack Overflow message seems to hint that it's > not an issue anymore. > > I'm not one to blindly change a setting unless I know what it's doing, > and complain/advocate for change if it's no longer relevant. So I'm full > of questions: > > * Is this even an issue anymore? Of not, is there a reason not to make > org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH default to true?
Yes it can be an issue. It all depends on the behaviour / configuration of the reverse proxy. You need to make sure that proxy passes the URI exactly as it received it. If it decoding %nn sequences then at best things will break. At worst you may have security issues. > * If this setting is still needed in some cases, is there any way to > control it without resorting to a system property? (System > properties are not very flexible, and Tomcat has many layers of more > manipulable settings, as you all would know better than me.) No. Moving system properties to more fine-grained configuration locations is on the TODO list. > * If we enable encoded slashes in Tomcat, do we need to do anything in > Apache to get this to work if we put it in front of Tomcat? One > really old Stack Overflow post > <https://stackoverflow.com/a/4443129/421049> indicated that there > used to be a bug with AllowEncodedSlashes not being inherited by > Apache virtual hosts. See also > https://issues.sonatype.org/browse/NEXUS-10570 . I'm not sure. > * Do we need special configuration of mod_jk? (I haven't connected > Apache to Tomcat in a while; I'm not sure the current best > practices. I'll have to read up on that.) The connectors > documentation > <https://tomcat.apache.org/connectors-doc/reference/apache.html> is > mentioning things like ForwardURIEscaped, which looks like it may be > related. Make sure you use the latest release. Read the forwarding section carefully. I think you'll want ForwardURICompatUnparsed > I'm not even sure I asked all the right questions, but basically: I want > to uses encoded slashes in my request URIs. What's the latest situation > on that? This might be useful background reading: https://bz.apache.org/bugzilla/show_bug.cgi?id=62459 There is an open question what Tomcat should do with %2F sequences. It currently decodes them. Arguably, it should leave them alone. That might end up being a new configuration option. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
