Uploaded image for project: 'aaa'
  1. aaa
  2. AAA-265

RESTCONF path segment with encoded forward slash returns 400

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Highest
    • Resolution: Done
    • 0.18.1
    • 0.16.10, 0.17.12, 0.18.2
    • None
    • None

    Description

      The RESTCONF request URI with encoded forward slash (/) returns the status code of 400 and the request is not processed.

      For example,

      {
          "servlet": "org.glassfish.jersey.servlet.ServletContainer",
          "message": "Invalid request",
          "url": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=XPDR-A1/yang-ext:mount/org-openroadm-device:org-openroadm-device/circuit-packs=1%2F0%2F1-PLUG-NET",
          "status": "400"
      }
      

      This appears to be caused by Shiro 0.12.1 adopted by AAA. The version addresses a path traversal attack (CVE-2023-34478) by rejecting URIs with an encoded forward slash.

      Attachments

        Issue Links

          # Subject Branch Project Status CR V

          Activity

            People

              rovarga Robert Varga
              sangwookha Sangwook Ha
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: