Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve #4275 ambiguous URIs #6939

Merged
merged 3 commits into from
Oct 11, 2021
Merged

Improve #4275 ambiguous URIs #6939

merged 3 commits into from
Oct 11, 2021

Conversation

gregw
Copy link
Contributor

@gregw gregw commented Sep 28, 2021
edited
Loading

#4275
A URI like /foo/%2e%2e;/bar should be ambiguous both because of the encoded dots and because of the parameters. This means that the default setting of jetty-9 is a bit more secure as this path is considered ambiguous if either Violation.SEGMENT or Violation.PARAM is set.

Signed-off-by: Greg Wilkins gregw@webtide.com

@gregw
Improve #4275 ambiguous URIs
53818e5 
A URI like `/foo/%2e%2e;/bar` should be ambiguous both because of the encoded dots and because of the parameters.  This means that the default setting of jetty-9 is a bit more secure as this path is considered ambiguous if either Violation.SEGMENT or Violation.PARAM is set.

Signed-off-by: Greg Wilkins <gregw@webtide.com>
@lachlan-roberts
Copy link
Contributor

@gregw there are test failures.

@gregw
fixed test
bc60a9b 
Signed-off-by: Greg Wilkins <gregw@webtide.com>
@gregw
replaced == tests on Booleans with equals
dfd1e09 
Signed-off-by: Greg Wilkins <gregw@webtide.com>
@gregw
Copy link
Contributor Author

gregw commented Sep 30, 2021

@lachlan-roberts can you re-review.... I've been a little evil and snuck in a few extra fixes replacing == with equals

@gregw gregw merged commit 3f82d69 into jetty-9.4.x Oct 11, 2021
@gregw gregw deleted the jetty-9.4.x-4275-ambiguousparam branch October 11, 2021 04:02
@gregw gregw mentioned this pull request Oct 11, 2021
Closed
lachlan-roberts added a commit that referenced this pull request Oct 12, 2021
@lachlan-roberts
Improve #4275 ambiguous URIs (#6939)
866f451 
* Improve #4275 ambiguous URIs

A URI like `/foo/%2e%2e;/bar` should be ambiguous both because of the encoded dots and because of the parameters.  This means that the default setting of jetty-9 is a bit more secure as this path is considered ambiguous if either Violation.SEGMENT or Violation.PARAM is set.

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts mentioned this pull request Oct 12, 2021
Merged
lachlan-roberts added a commit that referenced this pull request Oct 21, 2021
@lachlan-roberts
Merge pull request #6978 from eclipse/jetty-10.0.x-4275-ambiguousparam
ec22186 
Improve #4275 ambiguous URIs (#6939)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MacX19 MacX19 MacX19 left review comments

@lachlan-roberts lachlan-roberts lachlan-roberts approved these changes

@sbordet sbordet Awaiting requested review from sbordet

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gregw @lachlan-roberts @MacX19