From: Chris H. <ch...@ha...> - 2003-10-21 08:23:20
|
I think it's egg-on-face time, at least as far as my practical report is concerned. I tried to get you more detailed logs, debug output etc. this morning and realized that the double-response I reported yesterday was because I was missing an error404.htm file in the test rig I used. Sorry sorry, sorry. I can't now find any wrong behaviour in my test rig (Jetty 4.2.3). I retreat back to the concern I had when I looked at Alexey's stack trace, which showed that javasript: (sic - note misspelling) was being rejected by java.net.URL as an "unknown protocol". The inference was that the URL was being constructed by new URL("javasript:blah()"); within FileResource. Alexey's concern appeared to be that the error he got was a '500' when URL detected a bad protocol.. My concern was that URL was ever allowed to parse the path part of a request as a protocol prefix. The 'file path' he presented was a perfectly legal one (speaking syntactically) and should not have been presented to java.net.URL as if it were a URL to be parsed (if that is indeed what happened). Looking at the source of a more up-to-date Jetty (4.2.11) I see that a different method of FileResource path extension is now used, so I guess we need to know which version of Jetty Alexey was using. Chris "Greg Wilkins" replied > > guys > > which version of Jetty is this on? > I'm trying with 4.2.9 and 4.2.14rc1 and I can't get the 500 or any other embedded protocol > to be recognized. I'm always getting a 404. > > With a URL like: > http://my.host.name/http://other.host.name/remoteResource > > The path fragment that get's passed to the resource methods should be > > /http://other.host.name/remoteResource > > While the : may cause some parsing grief, the /http: is not http: and > should not get treated as such?? > > Can anybody get one of these 500 exceptions when running against the > standard Jetty demo or template webapplication? > > If you can, can you tell me the URL used and capture the DEBUG output. > > thanks > > > > Chris Haynes wrote: > > Commenting on a message posted to jetty-support.... > > > > Actually, looking again at the problem Alexey originally reported, I > > suspect Jetty + Java has an 'unintended feature', rather than just an > > inappropriate error response. > > > > It looks as if java.net.URI, when called by FileResource, is noting > > the 'javascript:' at the start of the resource path and assuming that > > it does not therefore need to prepend its usual 'file:'. In other > > words FileResource is encouraging URI to interpret the path part of > > the request as a full URL if it finds characters that look like part > > of a URL. I don't think it should do this, should it? I would expect > > the prefix 'file:' to be forced onto the start of the path by > > FileResource, no matter what that requested path starts with. > > > > Is this a possible security weakness? > > > > It looks as if someone could formulate a request like > > http://my.host.name/http://other.host.name/remoteResource > > and perhaps have the request forwarded by Jetty. > > > > I've just tested the equivalent of > > http://my.host.name/http://my.host.name/nonExistentResource > > which shows TWO 404 responses in the request log (the second one with > > a path of "-"). > > > > > > However > > http://my.host.name/http://news.bbc.co.uk > > did not get me today's news, just a single 404, and > > http://my.host.name/http://my.host.name/actualResource > > returns two 404s with the second logged as a path of "-" so maybe the > > problem is not that real? > > > > What about Jetty when used as a (reverse) proxy? Could this 'feature' > > circumvent security checks? I can't test this myself. > > > > > > Chris > > > > > > "Alexey Yudichev" commented on jetty-support: > > > > Could not find any response to this... > > > > -----Original Message----- > > From: Alexey Yudichev > > Sent: Thursday, September 11, 2003 9:45 AM > > To: jet...@li... > > Subject: [Jetty-support] error 500 when requesting /javascript:blah() > > > > > > If I request http://my.host.name/javasript:blah() to a Jetty server I > > get 500 error with the following exception: > > > > java.net.MalformedURLException: unknown protocol: javasript > > at java.net.URL.<init>(URL.java:586) > > at java.net.URL.<init>(URL.java:476) > > at org.mortbay.util.FileResource.addPath(FileResource.java:87) > > at org.mortbay.http.HttpContext.getResource(HttpContext.java:788) > > at > > org.mortbay.jetty.servlet.WebApplicationContext.getResource(WebApplica > > tionContext.java:1237) > > at org.mortbay.jetty.servlet.Default.getResource(Default.java:168) > > at org.mortbay.jetty.servlet.Default.service(Default.java:189) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) > > at > > org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:356) > > at > > org.mortbay.jetty.servlet.WebApplicationHandler$Chain.doFilter(WebAppl > > icationHandler.java:342) > > > > I guess it could be handled better with response 404 NOT FOUND. > > I discovered this when some crawler (identified User-Agent: > > Mozilla/3.0 (compatible; Indy Library)) tried to walk through my site. > > > > > > > > > > > > ------------------------------------------------------- > > This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo > > The Event For Linux Datacenter Solutions & Strategies in The Enterprise > > Linux in the Boardroom; in the Front Office; & in the Server Room > > http://www.enterpriselinuxforum.com > > _______________________________________________ > > jetty-discuss mailing list > > jet...@li... > > https://lists.sourceforge.net/lists/listinfo/jetty-discuss > > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by OSDN developer relations > Here's your chance to show off your extensive product knowledge > We want to know what you know. Tell us and you have a chance to win $100 > http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 > _______________________________________________ > jetty-discuss mailing list > jet...@li... > https://lists.sourceforge.net/lists/listinfo/jetty-discuss > > |