Jetty

URIUtil.encodePath() allows some characters to break the URI string

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.1.15
  • Fix Version/s: 6.1.17
  • Component/s: HTTP
  • Labels:
    None
  • Number of attachments :
    2

Description

Some characters present in bad paths (typically seen from XSS attacks) can break the URI encoding of paths.

Need to add support for invalid path/filename characters, just to prevent the URI from becoming invalid.

  1. Text File
    JETTY-992.patch
    20/Apr/09 10:21 PM
    2 kB
    Joakim Erdfelt

Issue Links

is depended upon by

Bug - A problem which impairs or prevents the functions of the product. JETTY-980 Security / Directory Listing XSS present

  • Major - Major loss of function.
  • Resolved - A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.

Activity

Hide
Permalink
Joakim Erdfelt added a comment -

Adding support for '"', '\'', '<', '>' characters in URIUtil.encodePath()

Show
Joakim Erdfelt added a comment - Adding support for '"', '\'', '<', '>' characters in URIUtil.encodePath()

People

  • Assignee:
    Unassigned
    Reporter:
    Joakim Erdfelt
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: