Project

General

Profile

bug #9218

Change /registrationDTO/identifier/... signatures to use query parameters instead

Added by Andreas Kohlbecker 11 days ago. Updated 11 days ago.

Status:
Resolved
Priority:
Highest
Category:
cdmlib-remote
Target version:
Start date:
09/07/2020
Due date:
% Done:

50%

Severity:
normal
Found in Version:

Description

Using slashes, double slashes, back slashes in URLs has security implications (see CVE-2007-0450). More recent spring-security releases (e.g. >4.2.18.RELEASE) therefore reject urls like these here:

http://cdmserver.org/registrationDTO/identifier/http://testbank.org/100001
http://cdmserver.org/registrationDTO/identifier/http%3A%2F%2Ftestbank.org%2F100001

The apache configuration also needs a special security configuration to allow encoded slashes (see also #7563)

#
# NOTE: AllowEncodedSlashes is off per default to prevent possible security vulnerabilities.
#       To allow the cdmserver resolving http identifiers via HTTP GET requests it is required to
#       allow encoded slashes. See https://dev.e-taxonomy.eu/redmine/issues/7563
#
AllowEncodedSlashes On

We should completely abstain from using slashes or double slashed in the requests to the RegistrationDTOController by introducing according query parameters instead


Related issues

Related to Edit - bug #7563: requests with %2F in URL are rejected by apache Closed 07/19/2018
Related to Edit - bug #9220: adapt dataportal to /registrationDTO now using identifier as query parameter and secure against CVE-2007-0450 vulnerability Resolved 09/07/2020

Associated revisions

Revision ab4c6c12 (diff)
Added by Andreas Kohlbecker 11 days ago

fix #9218 RegistrationController and RegistrationDTOController conform to CVE-2007-0450

History

#1 Updated by Andreas Kohlbecker 11 days ago

  • Related to bug #7563: requests with %2F in URL are rejected by apache added

#2 Updated by Andreas Kohlbecker 11 days ago

  • Related to task #9219: Revert: requests with %2F in URL are rejected by apache added

#3 Updated by Andreas Kohlbecker 11 days ago

  • Related to bug #9220: adapt dataportal to /registrationDTO now using identifier as query parameter and secure against CVE-2007-0450 vulnerability added

#4 Updated by Andreas Kohlbecker 11 days ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 50

#5 Updated by Andreas Kohlbecker 11 days ago

  • Related to deleted (task #9219: Revert: requests with %2F in URL are rejected by apache )

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)