tomcat-7, code review - error, bad request

385 views
Skip to first unread message

rupert THURNER

unread,
Oct 15, 2013, 6:56:11 PM10/15/13
to repo-d...@googlegroups.com
hi,

there is a bug opened here:
http://code.google.com/p/gerrit/issues/detail?id=2135

saying that using tomcat7 there is a "code review - error, bad request" when clicking on a change in the list. we experience exactly this error and i'd wonder how to track it down further where it might come from. it happens with chromium, firefox and internet explorer.

rupert

David Ostrovsky

unread,
Oct 16, 2013, 2:48:59 AM10/16/13
to repo-d...@googlegroups.com, repo-discuss
I don't see it on current master. Anonym or authenticated, with old or new change screen, it works here on Tomcat 7.0.42.

Ian Kumlien

unread,
Oct 16, 2013, 4:18:24 AM10/16/13
to David Ostrovsky, Repo and Gerrit Discussion
I mailed about this a while ago, commented on the issue and now adding this here:

Add "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" to your catalina options in tomcat/bin/setenv.sh

This is related to the path changes in gerrit.
---


--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
 
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

rupert THURNER

unread,
Oct 16, 2013, 4:36:33 AM10/16/13
to repo-d...@googlegroups.com, David Ostrovsky
many thanks, ian, works fine now! i remember having seen this with gitblit as well, they state in their faq at http://gitblit.com/faq.html:
  "You have a few options on how to handle this scenario:
  1. Tweak Tomcat
    Add -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true to CATALINA_OPTS or to your JVM launch parameters
  2. web.mountParameters = false and use non-pretty, parameterized urls
  3. web.forwardSlashCharacter = ! which tells Gitblit to use ! instead of "
as a reason for this they refer to the tomcat documentation saying at http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10:

    "Important: Directory traversal CVE-2007-0450

Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy (including, but not limited to, Apache HTTP server with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request containing strings like "/\../" may allow attackers to work around the context restriction of the proxy, and access the non-proxied contexts.

The following Java system properties have been added to Tomcat to provide additional control of the handling of path delimiters in URLs (both options default to false):

  • org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH: true|false
  • org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH: true|false

Due to the impossibility to guarantee that all URLs are handled by Tomcat as they are in proxy servers, Tomcat should always be secured as if no proxy restricting context access was used.

Affects: 6.0.0-6.0.9"

Reply all
Reply to author
Forward
0 new messages