Review UriCompliance.LEGACY behavior with bad UTF-8 in query
#12791
Conversation
…extraction. Added tests for DEFAULT, ALLOW_BAD_UTF8 and LEGACY. LEGACY expectations are set to jetty-11 results
…extraction. Added TRUNCATED_UTF8_ENCODING for LEGACY mode
* Left `queryBehaviorsLegacy` alone, as expectations from Jetty 11. * The `queryBehaviorsDefault` expectations are based Jetty 12.0.16. * The `queryBehaviorsBadUtf8Allowed` has its expectations updated.
joakime
changed the title
UriCompliance.LEGACY behavior with bad UTF-8 in query
|
@gregw I pushed the test cases I used for Jetty 11 to the branch See tests here ... In the process I also added a few more test cases that came to mind around bad behaviors on the parameter names. The replacement logic with raw unicode to |
jetty-core/jetty-server/src/test/java/org/eclipse/jetty/server/RequestTest.java
Outdated
Show resolved
Hide resolved
jetty-core/jetty-util/src/main/java/org/eclipse/jetty/util/TypeUtil.java
Show resolved
Hide resolved
|
@joakime fixed niggle. Please re-review and feel free to merge if CI passes. |
|
Merged, all the way through to 12.1.x |
@basil this pull-request is about the query handling, not path. |
Of course. That is why I wrote "a similar problem" rather than "the same problem."
@joakime I agree that a new issue should be reported about this. But since I have already reported 4 regressions against Jetty 12 since last May, I would appreciate it if you or someone else could open the issue about this one. |
There's not been an issue filed about this yet. https://github.com/jetty/jetty.project/issues?q=is%3Aissue%20SUSPICIOUS_PATH_CHARACTERS The You'll need to allow both that violation, and the setting to bypass the servlet spec rules. See https://github.com/jetty/jetty-examples/tree/12.0.x/embedded/ee10-servlet-ambiguous-paths |
@joakime Of course. But since you asked me to open a new issue about this, and since I have already opened 4 issues about Jetty 12 regressions in the recent past, I have asked you (or someone else) to file a ticket about this particular issue as a courtesy.
This worked fine in Jetty 9/10, so I do not see a reason why I should use a custom |
This is in the category of the many servlet hacks over the years to allow these kinds of bad / ambiguous / suspicious paths. Using LEGACY also doesn't decode like in Jetty 9/10/11. (a broken servlet hack) All of those hacks have been ruled as "not working, and will never work without breaking backward compatibility with the servlet API itself, stop with all of the hacks in all versions of Servlet and enforce the rules listed." If you rely on EXACT behavior as Jetty 9/10/11 then you will have to stick with Jetty 9/10/11 which doesn't implement the servlet rules outlined, and contains all of the hacks throughout the Jetty servlet implementation to attempt to work around these issues. Jetty 12 removed all of those servlet hacks, as they all lead to bugs, unintended consequences, and in some cases security issues. The best |
|
@joakime |
The decoding part is why.
For a proper LEGACY behavior, something new would have to be created. |
|
I've opened #12809 |
Added tests for DEFAULT, ALLOW_BAD_UTF8 and LEGACY. LEGACY expectations are set to jetty-11 results