Problems with enconded slashs inside param values

Splash Forums Rewrite Users Problems with enconded slashs inside param values

This topic contains 14 replies, has 4 voices, and was last updated by  gus.ehr 2 years, 5 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #25863

    gus.ehr
    Participant

    Hi there!

    I’m trying to solve a problem when I use encoded slashes inside a parameter value through the URL.

    Environment
    Tomcat 7.0.50
    JDK 6
    Rewrite 2.0.11 +JSF Integration
    Mojarra 2.1.27

    page.xhtml

    
    <?xml version="1.0" encoding="ISO-8859-1" ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml"
        xmlns:ui="http://java.sun.com/jsf/facelets"
        xmlns:h="http://java.sun.com/jsf/html"
        xmlns:f="http://java.sun.com/jsf/core">
    <h:head>
        <title>Rewrite Slash</title>
    </h:head>
    <h:body>
        <f:view>
            <f:metadata>
                <f:viewParam name="data" value="#{pageMB.data}" />
            </f:metadata>
            <h1>Rewrite slash</h1>
            <h:outputText value="The URL data: #{pageMB.data}" />
        </f:view>
    </h:body>
    </html>
    

    RewriteConfigurationProvider.java

    
    package com.sample;
    
    import javax.servlet.ServletContext;
    
    import org.ocpsoft.rewrite.annotation.RewriteConfiguration;
    import org.ocpsoft.rewrite.config.*;
    import org.ocpsoft.rewrite.servlet.config.HttpConfigurationProvider;
    import org.ocpsoft.rewrite.servlet.config.rule.Join;
    
    @RewriteConfiguration
    public class RewriteConfigurationProvider extends HttpConfigurationProvider {
    
    	@Override
    	public Configuration getConfiguration(ServletContext arg0) {
    		return ConfigurationBuilder.begin().addRule(
    				Join.path("/mapped/encrypted/{data}").to("/page.jsf"));
    	}
    
    	@Override
    	public int priority() {
    		return 10;
    	}
    
    }
    

    When I access the URL http://localhost:8080/rewrite-slash/page.jsf?data=test%2fslash, I see the page with the correct output text: teste/slash.
    When I access the URL http://localhost:8080/rewrite-slash/mapped/data/test%2fslash, I receive a 400 http reponse status code (Bad request) .

    So, can I change something on my mapping to solve this problem, or is it a Rewrite issue?

    Thanks in advance.

    #25865

    Hey there,

    Thanks for posting your config 🙂 From what I’m seeing, your example is expected behavior.

    The url: http://localhost:8080/rewrite-slash/mapped/data/test%2fslash does not match your Rule: Join.path("/mapped/encrypted/{data}")...

    If this was just a typo, could you please upload a minimal sample maven project that reproduces this issue?

    Thanks!
    ~Lincoln

    #25869

    gus.ehr
    Participant

    Hello Lincoln!
    Sorry for the typo 😉

    The project is now attached to this thread.

    Thank you.

    Attachments:
    1. rewrite-slash.rar
    #25892

    ravindra
    Participant

    Hi

    Please find following peace of code,

    we have to escape the special character using URLEncoder.

    String str=test/slash
    str= StringUtils.replaceEach(str, new String[]{“/”},new String[]{“%2F”);
    str=URLEncoder.encode(str , “UTF-8”);

    http://localhost:8080/rewrite-slash/page.jsf?data=str

    Hope this solution will work for your requirement.

    #25897

    gus.ehr
    Participant

    Hello Ravindra!

    I’m doing something like this to encode my url params.

    The problem is the Rewrite redirection.
    The access to /rewrite-slash/page.jsf?data=test%2fslash works correctly with the JSF 2 view params, but the /rewrite-slash/mapped/data/est%2fslash doesn’t work.

    See ya.

    #25898

    I think Tomcat forbids encodes slashes by default. See:

    http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html

    This system property controls it:

    org.apache.tomcat.util.buf. UDecoder.ALLOW_ENCODED_SLASH

    If this is true ‘%2F’ and ‘%5C’ will be permitted as path delimiters. If not specified, the default value of false will be used.

    #25903

    Interesting! I did not know that about Tomcat. This needs to go into our FAQ if this resolves the issue.

    #25905

    gus.ehr
    Participant

    Hello Lincoln and Chris!

    I don’t think that this Tomcat parameter is causing the issue because the http://localhost:8080/rewrite-slash/page.jsf?data=test%2fslash works properly. Just the mapped URL is returning the HTTP 400.

    See ya.

    #25911

    ravindra
    Participant

    Hi

    FYI

    String str=test/slash
    str= StringUtils.replaceEach(str, new String[]{“/”},new String[]{“%2F”);
    str=URLEncoder.encode(str , “UTF-8″);

    Final Result something like this

    http://localhost:8080/rewrite-slash/mapped/data/test%252Fslash

    “/” is path parameter separator right , so we need to double encode this character while passing through as a query parameter.

    when rewrite using with tomcat “/” is path parameter separater , when “/” having in query string , it should break the url and return 400 error, so we need to double encode the “/” while passing in a Query String.

    Hope above code will work
    check once above url hope it will work.

    Regards
    Ravindra.

    • This reply was modified 2 years, 5 months ago by  ravindra.
    • This reply was modified 2 years, 5 months ago by  ravindra.
    #25914

    @gus.ehr: There is a difference between a slash in a query parameter and a slash in a path parameter. Actually %2F and / is exactly the same in a path segment. But Tomcat blocks the encoded form by default.

    #25916

    As the / character shouldn’t be encoded in a path segment, you could try this:

    
    Join.path("/mapped/encrypted/{data}").to("/page.jsf")
      .where("data").matches(".*")
    

    With that rule a link like this should work:

    /mapped/data/test/slash

    #25940

    gus.ehr
    Participant

    Hello Chris.
    Thanks for the suggestions!

    These are my observations:

    The .where("data").matches(".*") didn’t changed the behavior (400 bad request response code)
    When I use org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true the mapped URL returns 404 (not found status code).

    What do you think about this?
    See ya.

    #25942

    ravindra
    Participant

    please execute following url once hope you will not get 404 error am sure

    http://localhost:8080/rewrite-slash/mapped/data/test%252Fslash

    thanks
    ravindra

    #25943

    You will always get a 400 response if you don’t set this Tomcat system property and use encoded slashes in the request.

    You should try to NOT encode the slash. So try to request this URL:

    /mapped/encrypted/foo/var

    #25944

    gus.ehr
    Participant

    @Chris

    You are right man.
    The 404 status code above was my bad.

    The problem is just the enconding of the slash in a path variable on Tomcat.

    When I access the URL
    /mapped/encrypted/foo/var
    and change the rule to .addRule(Join.path("/mapped/encrypted/{data}").to("/page.jsf")).where("data").matches(".*")
    the mapping works correctly.

    When I access the URL
    /mapped/encrypted/foo%2fvar,
    change the rule to
    .addRule(Join.path("/mapped/encrypted/{data}").to("/page.jsf")).where("data").matches(".*")
    and add
    org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
    in Tomcat the mapping works correctly.

    Thank you for the help!

    • This reply was modified 2 years, 5 months ago by  gus.ehr.
Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.

Comments are closed.