12

Apache Tomcat (at least before Tomcat 6 see footnote) treats a percent-encoded slash (%2F) in a URI path just like a regular slash (i.e. as a path delimiter).

So e.g. the servlets example page of Tomcat can be accessed at

  • http://localhost:8080/examples/servlets/ and at
  • http://localhost:8080/examples%2Fservlets/

This does not make sense to me. The whole point of percent-encoding a reserved character like "/" is to avoid it being treated as a reserved character (in this case a path delimiter). In addition to this, this behaviour is (one) cause of the vulnerability CVE-2007-0450. However, I assume there must have been a reason for this.

  • Is there any technical reason why Tomcat treats (ok, used to treat) %2F as a path delimiter?

  • Is there some situation where this behaviour is helpful?

Footnote: I realize that due to CVE-2007-0450 Tomcat's default behaviour was changed to reject percent-encoded slashes in the path. However, if this check is disabled (ALLOW_ENCODED_SLASH), the old behavior remains.

4

1 回答 1

9

这与 Tomcat 在 httpd 反向代理后面时有关。在某些情况下,URI 被部分编码,因此需要 %2F 处理来撤消该编码。

它产生了许多安全问题,这些问题在 CVE-2007-0450 修复的同时得到修复。作为背景,请查看 mod_jk 文档中的 ForwardURIxxx 选项:http: //tomcat.apache.org/connectors-doc/reference/apache.html这涵盖了您仍然可能需要此功能的一些情况(但由于可能安全问题我会尽可能避免)。

现在的默认行为是 httpd 将 URI 传递给 Tomcat 并保持不变,并且 Tomcat 将完全按照此方式处理编码字符。

于 2013-10-25T08:11:14.480 回答