search

cryptomator / webdav-nio-adapter

Jackrabbit-based servlets running on embedded Jetty to serve a directory specified by a java.nio.file.Path
GNU Affero General Public License v3.0
12 stars 8 forks source link

Files containing "%" cannot be opened #40

Closed infeo closed 2 years ago

infeo commented 2 years ago

Files containing a % cannot be opened anymore. Activating the debug log level, the following stack trace appears in the log when accessing the file:

org.eclipse.jetty.http.BadMessageException: 400: Ambiguous path encoding in URI
    at org.eclipse.jetty.server.Request.setMetaData(Request.java:1706)
    at org.eclipse.jetty.server.HttpChannel.onRequest(HttpChannel.java:794)
    at org.eclipse.jetty.server.HttpChannelOverHttp.headerComplete(HttpChannelOverHttp.java:332)
    at org.eclipse.jetty.http.HttpParser.parseFields(HttpParser.java:1226)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1511)
    at org.eclipse.jetty.server.HttpConnection.parseRequestBuffer(HttpConnection.java:384)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
    at org.eclipse.jetty.io.SocketChannelEndPoint$1.run(SocketChannelEndPoint.java:101)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:378)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
    at java.base/java.lang.Thread.run(Thread.java:831)

This bug first appeared when updating jetty from 10.0.2 to 10.0.3 in 99594edf958510411eb3f98cd5eecb7f87111664.

infeo commented 2 years ago

It is caused by a security fix in jetty for https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5.

Without configuration, jetty is now stricter than RFC 3986 when parsing URLs and blocks certain rfc3986-valid URLs. For more info, see also https://github.com/eclipse/jetty.project/pull/6003 and https://github.com/eclipse/jetty.project/issues/6132

infeo commented 2 years ago

Fixed in 101b963d2ad4a519d47909e64d0fb20672ed11da by allowing AMBIGUOUS_PATH_SEPERATOR and AMBIGUOUS_PATH_ENCODING (see http://www.eclipse.org/jetty/javadoc/jetty-10/org/eclipse/jetty/http/UriCompliance.html and its VIOLATION subclass)