Re: backslash URL encoding

[Lutischán Ferenc]

Dear Dan,

Thanks for your suggestion.
I tried it, but it didn't work for me (Tomcat started with parameter: 
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true).
In my tomcat log:
127.0.0.1 - - [09/May/2013:15:34:54 +0200] "GET 
/angol-magyar-szotar/w%5C HTTP/1.1" 400 -

Regards,
    Ferenc

> Dear Dan,
>
> Thank for your reply.
>
> 1. This site is a dictionary:
> - Windows users often enter a "\" in place of "/"
> - Rarely there are "\" in the phrases

I think what you're looking for is this...

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security 
<https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>

If you set it to true, it should allow '%2F' and '%5C' in your URL.

This has security implications though.  Please read the following link 
for CVE-2007-0450.

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 
<https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>

Dan

On May 8, 2013, at 9:09 AM, Lutischán Ferenc wrote:

> Dear Dan,
>
> Thank for your reply.
>
> 1. This site is a dictionary:
> - Windows users often enter a "\" in place of "/"
> - Rarely there are "\" in the phrases

I think what you're looking for is this...

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security 
<https://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security>

If you set it to true, it should allow '%2F' and '%5C' in your URL.

This has security implications though.  Please read the following link 
for CVE-2007-0450.

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 
<https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10>

Dan

On May 8, 2013, at 8:46 AM, Lutischán Ferenc wrote:
Dear Users,

Tomcat 7.0.39.

I have problem with the following url in firefox 20:
http://dictzone.com/english-german-dictionary/a\  (it resulted in 
thehttp://dictzone.com/english-german-dictionary/a%5C  request).
Why do you have a "\" on the end of the URL?  Is that intentional?  Does it 
work if you remove it?

It results is an emtpy page.
What is the HTTP Status code being returned with the request?  4xx?  5xx?


This request don't arrive my servelt / filter codes.
Please include your servlet mapping from web.xml.


Dan


How to fix it?

Regards,
     Ferenc

---------------------------------------------------------------------
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org