[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: Re: What is it ? useURIValidationHack
From: "Bill Barker" <wbarker () wilshire ! com>
Date: 2003-05-31 3:54:38
[Download RAW message or body]
That's pretty much it. TC 4.0.x didn't handle some traversal attacks well
without this set. TC 4.1.x should handle it fine without it being set. The
especially paranoid can set it anyway, and have one more choke-point for
traversal attacks. I'm including the source for 'validate' so you can see
what it checks for:
protected static String validate(String path) {
if (path == null)
return null;
// Create a place for the normalized path
String normalized = path;
// Normalize "/%7E" and "/%7e" at the beginning to "/~"
if (normalized.startsWith("/%7E") ||
normalized.startsWith("/%7e"))
normalized = "/~" + normalized.substring(4);
// Prevent encoding '%', '/', '.' and '\', which are special
reserved
// characters
if ((normalized.indexOf("%25") >= 0)
|| (normalized.indexOf("%2F") >= 0)
|| (normalized.indexOf("%2E") >= 0)
|| (normalized.indexOf("%5C") >= 0)
|| (normalized.indexOf("%2f") >= 0)
|| (normalized.indexOf("%2e") >= 0)
|| (normalized.indexOf("%5c") >= 0)) {
return null;
}
if (normalized.equals("/."))
return "/";
// Normalize the slashes and add leading slash if necessary
if (normalized.indexOf('\\') >= 0)
normalized = normalized.replace('\\', '/');
if (!normalized.startsWith("/"))
normalized = "/" + normalized;
// Resolve occurrences of "//" in the normalized path
while (true) {
int index = normalized.indexOf("//");
if (index < 0)
break;
normalized = normalized.substring(0, index) +
normalized.substring(index + 1);
}
// Resolve occurrences of "/./" in the normalized path
while (true) {
int index = normalized.indexOf("/./");
if (index < 0)
break;
normalized = normalized.substring(0, index) +
normalized.substring(index + 2);
}
// Resolve occurrences of "/../" in the normalized path
while (true) {
int index = normalized.indexOf("/../");
if (index < 0)
break;
if (index == 0)
return (null); // Trying to go outside our context
int index2 = normalized.lastIndexOf('/', index - 1);
normalized = normalized.substring(0, index2) +
normalized.substring(index + 3);
}
// Declare occurrences of "/..." (three or more dots) to be invalid
// (on some Windows platforms this walks the directory tree!!!)
if (normalized.indexOf("/...") >= 0)
return (null);
// Return the normalized path that we have completed
return (normalized);
}
"Jason Bainbridge" <jason@jblinux.org> wrote in message
news:200305310655.16715.jason@jblinux.org...
> On Sat, 31 May 2003 06:37, Michenaud Laurent wrote:
> > I can't find any documentation about the parameter useURIValidationHack.
>
> // Additional URI normalization and validation is needed for security
> // reasons on Tomcat 4.0.x
> if (connector.getUseURIValidationHack()) {
> String uri = validate(request.getRequestURI());
> if (uri == null) {
> res.setStatus(400);
> res.setMessage("Invalid URI");
> throw new IOException("Invalid URI");
> } else {
> req.requestURI().setString(uri);
> // Redoing the URI decoding
> req.decodedURI().duplicate(req.requestURI());
> req.getURLDecoder().convert(req.decodedURI(), true);
> }
> }
>
> I'm guessing this is because of the ServletInvoker security exploit,
either
> that or another one that was in earlier 4.0 versions, maybe one of the
> development types on the list will be able to shine more light on the
> subject.
>
> Regards,
> --
> Jason Bainbridge
> KDE Web Team - http://kde.org
> webmaster@kde.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic