Mantis Bugtracker

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0002266 [Resin] minor always 12-19-07 05:38 02-13-08 16:01
Reporter jornsvendsen View Status public  
Assigned To ferg
Priority normal Resolution fixed  
Status closed   Product Version 3.0.21
Summary 0002266: Resin returns status 400 The request contains an illegal URL. without logging
Description When the request path includes two or more dots the requet is rejected. [^]

As the path includes dynamic information from the user the application is not able to return a proper error message due to the fact that the request never reaches the application.

Even if the .. is url encoded as %2E%2E the request is rejected.

As I read the specs. (primarily RFC 2396) the .. should not be changed for absolute urls and defenitely not in url encoded form.

Running the application on Apache Tomcat deliver the request to the application and returns a proper error page to the user.

No loggin is made in the access log in the above case.
Additional Information
Attached Files

- Relationships

- Notes
01-02-08 10:38

This is unlikely to be changed for security reasons. There are too many security breaches based on ".." to open this up just for the sake of better error messages. The application should be redesigned so ".." are not generated as URLs.
02-13-08 16:01

server/02e4 - logging change

- Issue History
Date Modified Username Field Change
12-19-07 05:38 jornsvendsen New Issue
01-02-08 10:38 ferg Note Added: 0002609
02-13-08 09:42 ferg Status new => acknowledged
02-13-08 16:01 ferg Note Added: 0002773
02-13-08 16:01 ferg Assigned To  => ferg
02-13-08 16:01 ferg Status acknowledged => closed
02-13-08 16:01 ferg Resolution open => fixed
02-13-08 16:01 ferg Fixed in Version  => 3.1.5

Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed.
27 unique queries executed.
Powered by Mantis Bugtracker