Loading...

XML

Word

Printable

Type: Enhancement
Resolution: Done
Priority: Optional
Fix Version/s: 2.3.13.Final, 2.2.32.Final
Affects Version/s: None
Component/s: None
Labels:
None

Git Pull Request:
https://github.com/undertow-io/undertow/pull/1580, https://github.com/undertow-io/undertow/pull/1583

At that method, there is a block that iterates through the path

// verify content of request pseudo-headers. Each header should only have a single value.
if (headers.contains(PATH)) {
    for (byte b: headers.get(PATH).getFirst().getBytes(ISO_8859_1)) {
        if (!allowUnescapedCharactersInUrl && !HttpRequestParser.isTargetCharacterAllowed((char)b)){
            return false;
        }
    }
}

Iterating is unnecessary when allowUnescapedCharactersInUrl is true.

is cloned by

JBEAP-26972 (7.4.z) UNDERTOW-2374 - At Http2ReceiveListener.checkRequestHeaders do not check path chars when unescaped characters are allowed

Ready for QA

is incorporated by

WFCORE-6794 CVE-2023-1973 Upgrade Undertow to 2.3.13.Final

Resolved

JBEAP-26974 (8.0.z) UNDERTOW-2374 - At Http2ReceiveListener.checkRequestHeaders do not check path chars when unescaped characters are allowed

Resolved

Assignee:: Flavia Rainone

Reporter:: Flavia Rainone

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/04/18 8:46 PM

Updated:: 2024/04/19 2:21 PM

Resolved:: 2024/04/19 12:21 AM