如果 %2F 是 JBOSS 中 GET URL 的一部分，则会收到 HTTP 400 错误 [英] Receive an HTTP 400 error if %2F is part of the GET URL in JBOSS

问题描述

每当将具有 %2F(/ 的十六进制代码)的 URL 发布到我的 JBOSS 服务器时，我都会收到错误消息:

Whenever a URL that has %2F which is the hex code for / is posted to my JBOSS Server, I get an error:

HTTP 400 Bad Request error message. 

这是网址:

http://localhost:8080/application/**abc%2Fhi**?msg=hello"

如果我从 URL 中删除 %2F 链接工作正常.

If I remove the %2F from the URL the link works fine.

这个 %2F 必须是 URL 的一部分，不能是请求参数.

This %2F has to be part of the URL and cannot be a request parameter.

推荐答案

终于找出了原因(对于 JBoss 和 Apache).两个应用程序都故意拒绝带有编码斜杠的 URI(%2F 用于 /，%5C 用于 )以防止可能存在的安全漏洞.

Finally figured out the cause of this (both for JBoss and Apache). Both applications intentionally reject URIs with an encoded slash (%2F for / and %5C for ) to prevent possible security vulnerabilities.

链接:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450

http://securitytracker.com/id/1018110(查看第 4 节解决方案)

http://securitytracker.com/id/1018110 (Look at section 4. Solution)

以下是他们提供的在 JBoss 中启用此行为的说明:

And here are the instructions they provide for enabling this behavior in JBoss:

注意:为了响应 CVE-2007-0450，JBoss AS 认为 URL 中的编码斜杠和反斜杠无效，其使用将导致 HTTP 400 错误.可以按照下面概述的步骤允许编码斜杠和反斜杠，但这样做会使您面临 CVE-2007-0450 相关攻击:

Note: In response to CVE-2007-0450, JBoss AS considers encoded slashes and backslashes in URLs invalid and its usage will result in HTTP 400 error. It is possible to allow encoded slashes and backslashes by following the steps outlined below, however doing so will expose you to CVE-2007-0450 related attacks:

a) 如果您使用/var/lib/jbossas/bin/run.sh 设置，请编辑/etc/jbossas/run.conf 并附加

a) If you use the /var/lib/jbossas/bin/run.sh setup, please edit /etc/jbossas/run.conf and append

--Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true 分配给 JAVA_OPTS 的字符串

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true to the string assigned to JAVA_OPTS

b) 如果您使用 init 脚本设置来运行多个 JBoss AS 服务并且您希望在所有服务上默认允许编码，请编辑/etc/jbossas/jbossas.conf 并添加行 JAVA_OPTS="${JAVA_OPTS}

b) If you use the init script setup to run multiple JBoss AS services and you wish to allow encoding by default on all services, please edit /etc/jbossas/jbossas.conf and add the line JAVA_OPTS="${JAVA_OPTS}

--Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

--Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

c) 如果您使用 init 脚本设置来运行多个 JBoss AS 服务并希望允许对特定服务的斜杠和反斜杠进行编码，请编辑/etc/sysconfig/${NAME}(其中 NAME 是您的服务)并添加行 JAVA_OPTS="${JAVA_OPTS}--Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

c) If you use the init script setup to run multiple JBoss AS services and want to allow encoding of slashes and backslashes for a particular service, please edit /etc/sysconfig/${NAME} (where NAME is the name of your service) and add the line JAVA_OPTS="${JAVA_OPTS} - -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true - -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

对于 Apache，它就像在 apache conf 或 vhost conf 中的某处设置AllowEncodedSlashes NoDecode"一样简单(但在 .htaccess 中不起作用).

For Apache, it's as simple as setting "AllowEncodedSlashes NoDecode" somewhere in your apache conf or vhost conf (doesn't work in an .htaccess, however).

Apache 链接:http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

这篇关于如果 %2F 是 JBOSS 中 GET URL 的一部分，则会收到 HTTP 400 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！