Skip to content

StrictHttpFirewall containsOnlyPrintableAsciiCharacters blocks safe characters #5190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jd3nn1s opened this issue Mar 31, 2018 · 2 comments
Closed

StrictHttpFirewall containsOnlyPrintableAsciiCharacters blocks safe characters #5190

jd3nn1s opened this issue Mar 31, 2018 · 2 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
5.0.5

Comments

@jd3nn1s
Copy link

jd3nn1s commented Mar 31, 2018

Summary

An encoded space in a URL is treated as a non-printable ASCII character and therefore is rejected by StrictHttpFirewall with no obvious way to allow without switching to HttpFirewall.

Actual Behavior

Request:
http://testhost.test/v1/config/IDE%20Settings/key/Color

Exception:
The requestURI was rejected because it can only contain printable ASCII characters

containsOnlyPrintableAsciiCharacters() rejects space even though it is a printable character. I do not know if space is an attack vector for bypassing security rules but it seems unlikely. Certainly space is considered a printable ASCII character.

Expected Behavior

Request is accepted.

Configuration

Version

4.2.4
@jd3nn1s
Copy link
Author

jd3nn1s commented Apr 16, 2018

Would a patch be accepted to add space to the list of accepted printable ASCII characters?

@rwinch
Copy link
Member

rwinch commented Apr 16, 2018

@jd3nn1s Thanks for the report!

I'm curious how you are coming across the error. The javadoc on HttpServletRequest.getRequestURI() states:

Returns the part of this request's URL from the protocol name up to the query string in the first line of the HTTP request. The web container does not decode this String.

This means that the value should be /v1/config/IDE%20Settings/key/Color which does not contain a space.

@rwinch rwinch self-assigned this Apr 16, 2018
@rwinch rwinch added status: waiting-for-feedback We need additional information before we can continue in: web An issue in web modules (web, webmvc) type: bug A general bug labels Apr 16, 2018
@rwinch rwinch added this to the 5.0.5 milestone Apr 16, 2018
@rwinch rwinch changed the title Space treated as non-printable ASCII character StrictHttpFirewall containsOnlyPrintableAsciiCharacters blocks safe characters Apr 16, 2018
@rwinch rwinch mentioned this issue Apr 16, 2018
Closed
rwinch added a commit that referenced this issue Apr 16, 2018
@rwinch
Fixes: gh-5190
c683bc1
@rwinch rwinch closed this as completed in afdefe7 Apr 16, 2018
rwinch added a commit that referenced this issue Apr 16, 2018
@rwinch
Fixes: gh-5190
5b751ba
@rwinch rwinch removed the status: waiting-for-feedback We need additional information before we can continue label Apr 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
5.0.5
Development

No branches or pull requests
2 participants
@rwinch @jd3nn1s