12

Apache Tomcat (at least before Tomcat 6 see footnote) treats a percent-encoded slash (%2F) in a URI path just like a regular slash (i.e. as a path delimiter).

So e.g. the servlets example page of Tomcat can be accessed at

  • http://localhost:8080/examples/servlets/ and at
  • http://localhost:8080/examples%2Fservlets/

This does not make sense to me. The whole point of percent-encoding a reserved character like "/" is to avoid it being treated as a reserved character (in this case a path delimiter). In addition to this, this behaviour is (one) cause of the vulnerability CVE-2007-0450. However, I assume there must have been a reason for this.

  • Is there any technical reason why Tomcat treats (ok, used to treat) %2F as a path delimiter?

  • Is there some situation where this behaviour is helpful?

Footnote: I realize that due to CVE-2007-0450 Tomcat's default behaviour was changed to reject percent-encoded slashes in the path. However, if this check is disabled (ALLOW_ENCODED_SLASH), the old behavior remains.

sleske
  • 81,358
  • 34
  • 189
  • 227

1 Answers1

9

It was related to when Tomcat was behind an httpd reverse proxy. In some circumstances the URI was partially encoded so the %2F handling was necessary to undo that encoding.

It create a number of security issues which were fixed around the same time CVE-2007-0450 was fixed. For background, look at the ForwardURIxxx options in the mod_jk docs: http://tomcat.apache.org/connectors-doc/reference/apache.html That covers a few cases where you still might want this feature (but because of the possible security issues I'd avoid it if at all possible).

The default behaviour is now httpd to pass the URI to Tomcat unchanged and for Tomcat to treated encoded characters as exactly that.

Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
  • 2
    Mark, is there a way to tell Tomcat to *not* treat %2F as a path separator? I realize it rejects the request entirely unless the prop mentioned here is set, but after that, I want ".../foo%2Fbar/..." to be treat as one path element with value "foo/bar", and not as if it were ".../foo/bar/..." – Sean Owen Dec 11 '13 at 16:26
  • I'm afraid not. %decoding happens fairly early on and once decoding happens Tomcat can't tell the difference between an original / and once decoded from %2F. You might be able to do use double encoding i.e. %252F but I wouldn't recommend it as that is the sort of thing that has lead to security issues in the past. – Mark Thomas Dec 11 '13 at 23:16
  • 2
    I have done some tests with Tomcat 7 and found that it does not accept %2F in the path of the URL: it returns HTTP status code 400 "Bad Request". If I pass %2F in a parameter is works fine. If I use %2C in the URI is gets converted to ',' so Tomcat really handles %2F in a special way. – Constantino Cronemberger Dec 29 '15 at 12:51