|Anonymous | Login | Signup for a new account||11-15-2019 08:23 PST|
|Main | My View | View Issues | Change Log | Docs|
|Viewing Issue Advanced Details [ Jump to Notes ]||[ View Simple ] [ Issue History ] [ Print ]|
|ID||Category||Severity||Reproducibility||Date Submitted||Last Update|
|0002266||[Resin]||minor||always||12-19-07 05:38||02-13-08 16:01|
|ETA||none||Fixed in Version||3.1.5||Product Version||3.0.21|
|Summary||0002266: Resin returns status 400 The request contains an illegal URL. without logging|
When the request path includes two or more dots the requet is rejected.
As the path includes dynamic information from the user the application is not able to return a proper error message due to the fact that the request never reaches the application.
Even if the .. is url encoded as %2E%2E the request is rejected.
As I read the specs. (primarily RFC 2396) the .. should not be changed for absolute urls and defenitely not in url encoded form.
Running the application on Apache Tomcat deliver the request to the application and returns a proper error page to the user.
No loggin is made in the access log in the above case.
|Steps To Reproduce|
|This is unlikely to be changed for security reasons. There are too many security breaches based on ".." to open this up just for the sake of better error messages. The application should be redesigned so ".." are not generated as URLs.|
|server/02e4 - logging change|
|12-19-07 05:38||jornsvendsen||New Issue|
|01-02-08 10:38||ferg||Note Added: 0002609|
|02-13-08 09:42||ferg||Status||new => acknowledged|
|02-13-08 16:01||ferg||Note Added: 0002773|
|02-13-08 16:01||ferg||Assigned To||=> ferg|
|02-13-08 16:01||ferg||Status||acknowledged => closed|
|02-13-08 16:01||ferg||Resolution||open => fixed|
|02-13-08 16:01||ferg||Fixed in Version||=> 3.1.5|
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed.|
27 unique queries executed.