Project

General

Profile

Actions
Copy link

bug #9218

closed

Change /registrationDTO/identifier/... signatures to use query parameters instead

Added by Andreas Kohlbecker over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Highest
Assignee:
Andreas Kohlbecker
Category:
cdmlib-remote
Target version:
Release 5.18
Start date:
Due date:
% Done:

100%

Estimated time:
Severity:
normal
Found in Version:
Tags:
security phycobank

Description

Using slashes, double slashes, back slashes in URLs has security implications (see CVE-2007-0450). More recent spring-security releases (e.g. >4.2.18.RELEASE) therefore reject urls like these here:

http://cdmserver.org/registrationDTO/identifier/http://testbank.org/100001
http://cdmserver.org/registrationDTO/identifier/http%3A%2F%2Ftestbank.org%2F100001

The apache configuration also needs a special security configuration to allow encoded slashes (see also #7563)

#
# NOTE: AllowEncodedSlashes is off per default to prevent possible security vulnerabilities.
#       To allow the cdmserver resolving http identifiers via HTTP GET requests it is required to
#       allow encoded slashes. See https://dev.e-taxonomy.eu/redmine/issues/7563
#
AllowEncodedSlashes On

We should completely abstain from using slashes or double slashed in the requests to the RegistrationDTOController by introducing according query parameters instead

Related issues

Related to EDIT - bug #7563: requests with %2F in URL are rejected by apache ClosedAndreas Kohlbecker

Actions
Related to EDIT - bug #9220: adapt dataportal to /registrationDTO now using identifier as query parameter and secure against CVE-2007-0450 vulnerabilityClosedAndreas Kohlbecker

Actions
Related to EDIT - task #9275: Cleanup apache configuration from "AllowEncodedSlashes On"NewAndreas Kohlbecker

Actions
Actions
Copy link
 #1

Updated by Andreas Kohlbecker over 3 years ago

  • Related to bug #7563: requests with %2F in URL are rejected by apache added
Actions
Copy link
 #2

Updated by Andreas Kohlbecker over 3 years ago

  • Related to task #9219: Revert: requests with %2F in URL are rejected by apache added
Actions
Copy link
 #3

Updated by Andreas Kohlbecker over 3 years ago

  • Related to bug #9220: adapt dataportal to /registrationDTO now using identifier as query parameter and secure against CVE-2007-0450 vulnerability added
Actions
Copy link
 #4

Updated by Andreas Kohlbecker over 3 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 50
Actions
Copy link
 #5

Updated by Andreas Kohlbecker over 3 years ago

  • Related to deleted (task #9219: Revert: requests with %2F in URL are rejected by apache )
Actions
Copy link
 #6

Updated by Andreas Kohlbecker over 3 years ago

  • Related to task #9275: Cleanup apache configuration from "AllowEncodedSlashes On" added
Actions
Copy link
 #7

Updated by Andreas Kohlbecker over 3 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 50 to 100

can be closed now that remaining tasks are copied to #9275

Actions
Copy link

Also available in: Atom PDF