Project

General

Profile

Actions
Copy link

task #9219

open

Revert: requests with %2F in URL are rejected by apache

Added by Andreas Kohlbecker over 3 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Highest
Assignee:
Andreas Kohlbecker
Category:
server-maintenance
Target version:
Release 5.45
Start date:
Due date:
% Done:

0%

Estimated time:
Severity:
major
Tags:
security phycobank

Description

remove the AllowEncodedSlashes On made for #7563 from apache configurations:

  #
  # NOTE: AllowEncodedSlashes is off per default to prevent possible security vulnerabilities.
  #       To allow the cdmserver resolving http identifiers via HTTP GET requests it is required to 
  #       allow encoded slashes. See https://dev.e-taxonomy.eu/redmine/issues/7563  
  #
  AllowEncodedSlashes On

The edit servers and documentation needs to be adapted:

  1. edit-test: /etc/apache2/sites-available/default -
  2. edit-community: /etc/apache2/sites-available/siteconf -
  3. edit-jobber: -
  4. edit-integration: -
  5. edit-demo1: -
  6. edit-demo2: -
  7. add to cdmserver installation documentation https://cybertaxonomy.eu/cdmserver/installation -

Related issues

Related to EDIT - bug #7563: requests with %2F in URL are rejected by apache ClosedAndreas Kohlbecker

Actions
Related to EDIT - bug #9220: adapt dataportal to /registrationDTO now using identifier as query parameter and secure against CVE-2007-0450 vulnerabilityClosedAndreas Kohlbecker

Actions
Actions
Copy link
 #1

Updated by Andreas Kohlbecker over 3 years ago

  • Related to bug #7563: requests with %2F in URL are rejected by apache added
Actions
Copy link
 #2

Updated by Andreas Kohlbecker over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Andreas Kohlbecker over 3 years ago

  • Related to bug #9218: Change /registrationDTO/identifier/... signatures to use query parameters instead added
Actions
Copy link
 #4

Updated by Andreas Kohlbecker over 3 years ago

  • Related to deleted (bug #9218: Change /registrationDTO/identifier/... signatures to use query parameters instead)
Actions
Copy link
 #5

Updated by Andreas Kohlbecker over 3 years ago

  • Related to bug #9220: adapt dataportal to /registrationDTO now using identifier as query parameter and secure against CVE-2007-0450 vulnerability added
Actions
Copy link
 #6

Updated by Andreas Kohlbecker over 3 years ago

  • Target version changed from Release 5.18 to Release 5.19
  • Severity changed from normal to major

to be done right after the release 5.18 is deployed to our servers

Actions
Copy link
 #7

Updated by Andreas Kohlbecker about 3 years ago

  • Target version changed from Release 5.19 to Release 5.21
Actions
Copy link
 #8

Updated by Andreas Müller about 3 years ago

  • Target version changed from Release 5.21 to Release 5.22
Actions
Copy link
 #9

Updated by Andreas Kohlbecker about 3 years ago

  • Target version changed from Release 5.22 to Release 5.25
Actions
Copy link
 #10

Updated by Andreas Müller almost 3 years ago

  • Target version changed from Release 5.25 to Release 5.45
Actions
Copy link

Also available in: Atom PDF