[AAA-265] RESTCONF path segment with encoded forward slash returns 400 - OpenDaylight JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Highest
Resolution: Done
Affects Version/s: 0.18.1
Fix Version/s: 0.16.10, 0.17.12, 0.18.2
Component/s: None
Labels:
None

Description

The RESTCONF request URI with encoded forward slash (/) returns the status code of 400 and the request is not processed.

For example,

{
    "servlet": "org.glassfish.jersey.servlet.ServletContainer",
    "message": "Invalid request",
    "url": "/rests/data/network-topology:network-topology/topology=topology-netconf/node=XPDR-A1/yang-ext:mount/org-openroadm-device:org-openroadm-device/circuit-packs=1%2F0%2F1-PLUG-NET",
    "status": "400"
}

This appears to be caused by Shiro 0.12.1 adopted by AAA. The version addresses a path traversal attack (CVE-2023-34478) by rejecting URIs with an encoded forward slash.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

karaf-debug.log.xz
11/Sep/23 6:53 PM
214 kB
Robert Varga

Issue Links

relates to

AAA-264 Upgrade shiro to 1.12.0

Resolved

mentioned in: Page Loading...

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

#	Subject	Branch	Project	Status	CR	V
107790,5	Skip tests in failure before deps version bump	master	transportpce	Status: MERGED	+2	+1
107888,4	Disable invalidRequest.blockTraversal	master	aaa	Status: MERGED	+2	+1
107900,1	Disable invalidRequest.blockTraversal	0.17.x	aaa	Status: MERGED	+2	+1
107901,1	Disable invalidRequest.blockTraversal	0.16.x	aaa	Status: MERGED	+2	+1
107945,1	Reactivate disabled functional tests	master	transportpce	Status: MERGED	+2	+1

Activity

People

Assignee:: Robert Varga

Reporter:: Sangwook Ha

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 11/Sep/23 6:47 PM

Updated:: 18/Jan/24 5:59 PM

Resolved:: 18/Sep/23 3:03 PM