On 06/02/2019 14:05, George Stanchev wrote: > In light of recent changes around allowing and subsequent relaxation of the > invalid characters handling in TC, I just noticed that TC behind IIS (via JK > connector/AJP) happily accepts ";<> etc while the HTTP connector rejects > them. Is this how the AJP connector it is supposed to work? Is the assumption > that the fronting service should be the line of defence? >
The expectation is that the web server follows the HTTP specification. I'd expect a web server to respond with a 400 to any invalid URI. The defenses in the JK Connector are designed to protect against valid but malicious URIs. Generally, directory traversal attacks and similar attempts to bypass security constraints. As far as I recall, there aren't explicit checks for URI validity. I'll note that ; is a valid character in a URI while "<> do indeed need to be escaped. As an aside, this page may be useful for folks testing around this: https://cwiki.apache.org/confluence/display/TOMCAT/Encoding+and+URIs Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
