如果％2F是JBOSS中GET URL的一部分，则会收到HTTP 400错误 [英] Receive an HTTP 400 error if %2F is part of the GET URL in JBOSS

问题描述

每当％2F 的URL（ / 的十六进制代码）发布到我的JBOSS服务器时，我收到错误：

Whenever a URL that has %2F which is the hex code for / is posted to my JBOSS Server, I get an error:

HTTP 400 Bad Request error message. 

以下是网址：

http://localhost:8080/application/**abc%2Fhi**?msg=hello"

如果我从网址中删除％2F ，则链接正常。

If I remove the %2F from the URL the link works fine.

此％2F 必须是URL的一部分，不能是请求参数。

This %2F has to be part of the URL and cannot be a request parameter.

推荐答案

最后找出了原因（包括JBoss和Apache）。两个应用程序都故意拒绝带有编码斜杠的URI（％2F 表示 / 和％5C for \ ）以防止可能的安全漏洞。

Finally figured out the cause of this (both for JBoss and Apache). Both applications intentionally reject URIs with an encoded slash (%2F for / and %5C for \) to prevent possible security vulnerabilities.

链接：

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450

http://securitytracker.com/id/1018110（见第4节。解决方案on）

http://securitytracker.com/id/1018110 (Look at section 4. Solution)

以下是他们在JBoss中启用此行为的说明：

And here are the instructions they provide for enabling this behavior in JBoss:

注意：作为对CVE-2007-0450的回应，JBoss AS认为URL中的编码斜杠和反斜杠无效，其使用将导致HTTP 400错误。按照下面列出的步骤可以允许编码的斜杠和反斜杠，但这样做会使您暴露于CVE-2007-0450相关攻击：

Note: In response to CVE-2007-0450, JBoss AS considers encoded slashes and backslashes in URLs invalid and its usage will result in HTTP 400 error. It is possible to allow encoded slashes and backslashes by following the steps outlined below, however doing so will expose you to CVE-2007-0450 related attacks:

a）如果你使用/var/lib/jbossas/bin/run.sh设置，请编辑/etc/jbossas/run.conf并附加

a) If you use the /var/lib/jbossas/bin/run.sh setup, please edit /etc/jbossas/run.conf and append

- -Dorg.apache.tomcat .util.buf.UDecoder.ALLOW_ENCODED_SLASH = true

- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH = true赋予分配给JAVA_OPTS的字符串

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true to the string assigned to JAVA_OPTS

b）如果您使用init脚本设置来运行多个JBoss AS服务，并且您希望在所有服务上默认允许编码，请编辑/etc/jbossas/jbossas.conf并添加行JAVA_OPTS =$ {JAVA_OPTS}

b) If you use the init script setup to run multiple JBoss AS services and you wish to allow encoding by default on all services, please edit /etc/jbossas/jbossas.conf and add the line JAVA_OPTS="${JAVA_OPTS}

- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH = true

- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH = true

- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

c）如果使用init脚本设置运行多个JBoss AS服务和想要允许特定服务的斜杠和反斜杠编码，请编辑/ etc / sysconfig / $ {NAME}（其中NAME是您的服务名称）并添加行JAVA_OPTS =$ {JAVA_OPTS}
- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH = true
- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH = true

c) If you use the init script setup to run multiple JBoss AS services and want to allow encoding of slashes and backslashes for a particular service, please edit /etc/sysconfig/${NAME} (where NAME is the name of your service) and add the line JAVA_OPTS="${JAVA_OPTS} - -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true - -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"

对于Apache，它就像在apache conf或vhost conf中的某处设置AllowEncodedSlashes NoDecode一样简单（但是在.htaccess中不起作用）。

For Apache, it's as simple as setting "AllowEncodedSlashes NoDecode" somewhere in your apache conf or vhost conf (doesn't work in an .htaccess, however).

Apache链接： http：//httpd.apache .org / docs / current / mod / core.html＃allowencodedslashes

Apache link: http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

这篇关于如果％2F是JBOSS中GET URL的一部分，则会收到HTTP 400错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！