[AAA-265] RESTCONF path segment with encoded forward slash returns 400 - OpenDaylight JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Highest
Resolution: Done
Affects Version/s: 0.18.1
Fix Version/s: 0.16.10, 0.17.12, 0.18.2
Component/s: None
Labels:
None

Description

The RESTCONF request URI with encoded forward slash (/) returns the status code of 400 and the request is not processed.

For example,

{
    "servlet": "org.glassfish.jersey.servlet.ServletContainer",
    "message": "Invalid request",
    "url": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=XPDR-A1/yang-ext:mount/org-openroadm-device:org-openroadm-device/circuit-packs=1%2F0%2F1-PLUG-NET",
    "status": "400"
}

This appears to be caused by Shiro 0.12.1 adopted by AAA. The version addresses a path traversal attack (CVE-2023-34478) by rejecting URIs with an encoded forward slash.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

karaf-debug.log.xz
214 kB
11/Sep/23 6:53 PM

Issue Links

relates to

AAA-264 Upgrade shiro to 1.12.0

Resolved

mentioned in: Page Loading...

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Robert Varga

Reporter:: Sangwook Ha

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 11/Sep/23 6:47 PM

Updated:: 02/Oct/23 1:30 AM

Resolved:: 18/Sep/23 3:03 PM