On 17/05/2021 22:01, Venkata Rajesh Kotha wrote:
Tomcat version - 9.0.24
OS - RHEL 8.3 , 64 bit
This is regarding Bug 62273
RFC 7230 and RFC 3986
Your suggestion is to add relaxedPathChars and relaxedQueryChars to
overcome invalid special characters (i.e, [ , ] , { etc) issue in URL.
Do we have any security breaches.. Will we see any vulnerability if we use
this options.
Please suggest.
You are running Tomcat 9.0.24 which, at the time of writing has 13
known, published security vulnerabilities.
http://tomcat.apache.org/security-9.html
Are you sure you aren't impacted by any of these?
The Tomcat team can offer no guarantees regarding the security
implications of using relaxedPathChars and/or relaxedQueryChars. From a
purely Tomcat perspective it should not present a problem but the
behaviour of clients, intermediate proxies and deployed applications are
all a factor and their behaviour is unknown.
All components should reject these URIs as invalid. That they don't
means that they are operating outside the RFCs and, therefore, the
behaviour is unspecified. We have no way of knowing how the combination
of components used in your system will react to such invalid URIs. It
will probably just work. It might fail because one, or more, components
rejects the URI. It is unlikely, but not impossible, that you will
introduce some sort of security vulnerability. If there is a security
issue, I'd guess at some sort of request/response mix-up or request
smuggling issue.
In summary, you are probably going to be OK but in your position I'd be
pushing hard for any component generating URIs that are not compliant
with RFC 7203 and RFC 3986 to be fixed.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
