-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ambiguous URI legacy compliance mode #6001
Comments
What if someone wants to allow how about an individual configuration for each?
That way people can tweak them accordingly, without the need for complex modes? |
…-ambiguous-uris Fix #6001 separate compliance modes for ambiguous URI segments, params and separators
FTR,
Reference: npm/npm#11738 |
For jetty-9.4.38 we are reverting to the previous behaviour. Specifically:
This behaviour can be configured with For jetty-10 and beyond, the default is changed to disallow all three. It is now configurable in a new |
* Fix #4275 separate compliance modes for ambiguous URI segments and separators default modes allows both ambiguous separators and segments, but still forbids ambiguous parameters Co-authored-by: Joakim Erdfelt <[email protected]>
* Netty update SEAB-2606 2607 2608 2625 2631 etc * SEAB-2602 2614 2655 etc * Address CVE * dealing with jetty/jetty.project#6001
Jetty version
9.4.37
Description
Prior to 9.4.37, URIs with segments of
%2e%2e
we treated as 400 bad requests. However URIs with%2f
characters were not.In 9.4.37 both
%2e%2e
and%2f
are treated as ambiguous and thus as 400 bad requests, unless a compliance mode is set which allows them both.Thus there is now no compliance mode that preserves the previous behaviour of allowing
%2f
but forbidding a segment of%2e%2e
We need 3 modes:
%2f
but not a segment of%2e%2e
%2f
and a segment of%2e%2e
are not allowed.The text was updated successfully, but these errors were encountered: