WebApp Sec mailing list archives
java.net.URI.normalize() problem
From: Felipe Moreno <fmoreno () gmail com>
Date: Thu, 17 Feb 2005 23:30:09 +0100
Hi all, I am working in a J2EE filter to implement an URL-based access control on a web application. To avoid the possibility of bypassing the control using manipulated URL paths I was planning on using the normalize() method in java.net.URI class before applying regexp filters. But after some tests (URL and unicode encoded paths) I have found out that it does not really work. In fact, this method normalizes the path attribute of the URI object and not the decodedPath as I expected (I'm using 1.4.2_06). Normalizing before decoding allows for a lot of URL manipulation attacks like for example: The URL /images/gif/..%2F../admin/login.jsp will be transformed to /images/gif/../../admin/login.jsp instead of /admin/login.jsp because normalize() fails to see %2F as a "/" as one should expect. This could allow someone to bypass the filters blocking access using a regexp like /admin.* on the (supposed) normalized form. I don't see any reason to use the path instead of decodedPath (other than a bug). Any thoughts? So I have implemented my own normalize() method, but I would like to know what do the people on the list use for URL normalization? Regards, Felipe.
Current thread:
- java.net.URI.normalize() problem Felipe Moreno (Feb 17)
- Re: java.net.URI.normalize() problem Garth Somerville (Feb 19)
- Re: java.net.URI.normalize() problem Felipe Moreno (Feb 21)
- Re: java.net.URI.normalize() problem Garth Somerville (Feb 19)