Jetty12 : Passing encoded slashes (%2F) in URls is causing "400 Ambiguous URI path separator"

jetty / jetty.project

Eclipse Jetty® - Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more

https://eclipse.dev/jetty

Other

3.86k stars 1.91k forks source link

Jetty12 : Passing encoded slashes (%2F) in URls is causing "400 Ambiguous URI path separator" #12467

Closed anvy2803 closed 2 weeks ago

anvy2803 commented 2 weeks ago

Jetty version(s) 12.0.13

Jetty Environment ee10

Java version/vendor (use: java -version) openjdk version "17.0.10"

OS type/version macOS Sonoma 14.7

Description Request URIs with encoded slash (%2F) are being rejected with 400 Bad Request after migrating to Jetty12 from Jetty11. I am also using Jakarta 6.0.0.

How to reproduce? Send any request with encoded slash. Even if there's no mapping of the URL, it should fail with 404 Not Found instead of 400 Bad Request.

paulrutter commented 2 weeks ago

This is by design, see https://github.com/jetty/jetty.project/issues/12346#issuecomment-2391677068

joakime commented 2 weeks ago

See the Jakarta Servlet 6.0 spec: Section 3.5.2. URI Path Canonicalization: 10: Rejecting Suspicious Sequences.

joakime commented 2 weeks ago

duplicate of #12346

anvy2803 commented 1 week ago

It's giving 400 Bad Request even after using UriCompliance.UNSAFE

paulrutter commented 1 week ago

See https://github.com/jetty/jetty.project/issues/12346#issuecomment-2392475541