subject:"\[PR\] Decode and normalize URIs before processing them \[tomcat\]"

Re: [PR] Decode and normalize URIs before processing them [tomcat]

2024-02-07 Thread via GitHub

Woellchen commented on PR #687: URL: https://github.com/apache/tomcat/pull/687#issuecomment-1932961663 Alright, I guess I got this wrong then, thanks for your detailed explanations. In case others are wondering about the same issue I found two bugs for reference on prominent software pro

Re: [PR] Decode and normalize URIs before processing them [tomcat]

2024-02-07 Thread via GitHub

markt-asf commented on PR #687: URL: https://github.com/apache/tomcat/pull/687#issuecomment-1932891346 Nope, `%2F` is NOT equivalent to `/` in a URI as explained in section 2.2 of RFC 3986. -- This is an automated message from the Apache Git Service. To respond to the message, please log

Re: [PR] Decode and normalize URIs before processing them [tomcat]

2024-02-07 Thread via GitHub

Woellchen commented on PR #687: URL: https://github.com/apache/tomcat/pull/687#issuecomment-1932841669 Thanks for checking back! The section you are referring to does not really negate my statement however. If I get you right you are talking about this specific thing? > These URIs sh

Re: [PR] Decode and normalize URIs before processing them [tomcat]

2024-02-07 Thread via GitHub

markt-asf commented on PR #687: URL: https://github.com/apache/tomcat/pull/687#issuecomment-1932635647 Nope. Read the RFC again. Specifically 6.2.2.2. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go

Re: [PR] Decode and normalize URIs before processing them [tomcat]

2024-02-07 Thread via GitHub

Woellchen commented on PR #687: URL: https://github.com/apache/tomcat/pull/687#issuecomment-1932522774 Could you please elaborate how a URI is not user input and how it can be prevented that a user calls a URI on a web application? I can't follow you. Relative paths are explicitly allowed

Re: [PR] Decode and normalize URIs before processing them [tomcat]

2024-02-07 Thread via GitHub

rmaucher commented on PR #687: URL: https://github.com/apache/tomcat/pull/687#issuecomment-1932491567 URL processing and mapping has to follow a lot of rules from specifications to avoid inconsistencies which would be security issues. So this is one of them. Indeed creative encoding can c

Re: [PR] Decode and normalize URIs before processing them [tomcat]

2024-02-07 Thread via GitHub

rmaucher closed pull request #687: Decode and normalize URIs before processing them URL: https://github.com/apache/tomcat/pull/687 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific commen

[PR] Decode and normalize URIs before processing them [tomcat]

2024-02-07 Thread via GitHub

Woellchen opened a new pull request, #687: URL: https://github.com/apache/tomcat/pull/687 URIs must be at least decoded in order to process sub-delims as defined in RFC 3986, because slashes and their encoded counterparts are equivalent when processing paths. Normalization before the proces

Re: [PR] Decode and normalize URIs before processing them [tomcat]

Re: [PR] Decode and normalize URIs before processing them [tomcat]

Re: [PR] Decode and normalize URIs before processing them [tomcat]

Re: [PR] Decode and normalize URIs before processing them [tomcat]

Re: [PR] Decode and normalize URIs before processing them [tomcat]

Re: [PR] Decode and normalize URIs before processing them [tomcat]

Re: [PR] Decode and normalize URIs before processing them [tomcat]

[PR] Decode and normalize URIs before processing them [tomcat]

8 matches

Site Navigation

Mail list logo

Footer information