HttpURI considers %25 to be ambiguous, preventing access to static resources with % in their name

[wilkinsona]

Jetty version(s)

11.0.7

Java version/vendor (use: java -version)

openjdk version "17" 2021-09-14
OpenJDK Runtime Environment Temurin-17+35 (build 17+35)
OpenJDK 64-Bit Server VM Temurin-17+35 (build 17+35, mixed mode, sharing

OS type/version

macOS

Description

This is a follow on from the discussion in #4033. With Jetty 11.0.7, a static resource with a % in its filename cannot be accessed due to HttpURI considering it to be ambiguous:

https://github.com/eclipse/jetty.project/blob/0c6acfc1a2f7889e577c9a565aff2f4fa32d855c/jetty-http/src/main/java/org/eclipse/jetty/http/HttpURI.java#L1210-L1212

I have a (rather extreme) test that tries to load static resources from a jar. This jar contains an entry named META-INF/resources/nested-reserved-!#\$%&()*+,:=?@[]-meta-inf-resource.txt and the test tries to access it using the URL /nested-reserved-%21%23%24%25%26%28%29%2A%2B%2C%3A%3D%3F%40%5B%5D-meta-inf-resource.txt. This works with Jetty 9.4.x but fails with 11.0.7. I haven't tried 10.0.x. FWIW, it also works with Tomcat 9 and 10 and Undertow 2.2

How to reproduce?

Hopefully the above is sufficient. I can try to extract the test from Spring Boot's build into something standalone if that would be useful.

[lachlan-roberts]

@wilkinsona This was done as a protection against things like double URI decoding vulnerabilities. You will need to configure your UriCompliance mode to allow AMBIGUOUS_PATH_ENCODING.

You can use one of the following compliance modes; UriCompliance.LEGACY, UriCompliance.RFC3986 or UriCompliance.UNSAFE.

There is a setting in start.d/server.ini if using standalone Jetty. Otherwise it you will need to configure on the HttpConfiguration, something like:

connector.getConnectionFactory(HttpConnectionFactory.class)
    .getHttpConfiguration()
    .setUriCompliance(UriCompliance.LEGACY);

[wilkinsona]

Isn't the protection over-zealous in this case as there's no double encoding involved? How can one access static resources with % in their name without becoming exposed to double decoding vulnerabilities?

[lachlan-roberts]

@wilkinsona It might be over-zealous to be rejecting ambiguous path encodings by default. The double decoding vulnerability was reported against ConcatServlet and WelcomeFilter which have since been fixed. So if you change UriCompliance mode to allow ambiguous encodings there should be no issue unless the application or a framework is accidentally re-decoding the decoded path.

@gregw what do you think about the default UriCompliance mode rejecting %25?

[gregw]

I'm inclined to relax double encoding check in 10 & 11 by default. We don't protect for this in 9, and with servlet6 there is a much better definition of what we should be doing, so it will be better fixed in jetty-12, so let's not be special in jetty-10 & jetty-11. i.e let's go with the flow and act the same as the other containers.