Actions
Enhancement #14840
open500 server error page when URL contains a ;
Status:
New
Priority:
N/A
Assignee:
-
Category:
Web - Maintenance
Target version:
Pull Request:
UX impact:
Suggestion strength:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Name check:
Fix check:
Regression:
Description
In Rudder 5.0, if the URL contains a ";", we get redirected to a nasty 500Server Error page
It used to be only a Not found before
I found it out while upgrading from 4.1 to 5.0, the URL after refresh was
https://192.168.45.2/rudder/index.html;jsessionid=1jzhqomd91t101mcki3zo8ouch#%7B%22nodeId%22:%22root%22,%22displayCompliance%22:false,%22query%22:%7B%22select%22:%22node%22,%22composition%22:%22And%22,%22where%22:%5B%7B%22objectType%22:%22node%22,%22attribute%22:%22OS%22,%22comparator%22:%22eq%22,%22value%22:%22Linux%22%7D%5D%7D%7D
stacktrace is
[2019-05-09 10:26:47] INFO inventory-processing - Report 'server-root.ocs' for node 'server.rudder.local' [root] (signature:certified) processed in 733 milliseconds ms 2019-05-09 10:26:54.757:WARN:oejs.HttpChannel:qtp1618212626-17: /rudder/index.html;jsessionid=1jzhqomd91t101mcki3zo8ouch org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";" at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265) at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:531) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680) at java.lang.Thread.run(Thread.java:748) 2019-05-09 10:26:56.960:WARN:oejs.HttpChannel:qtp1618212626-10: /rudder/index.html;jsessionid=1jzhqomd91t101mcki3zo8ouch org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.10 to 5.0.11
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.11 to 5.0.12
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.12 to 5.0.13
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 5.0.13 to 5.0.14
Updated by Vincent MEMBRÉ about 5 years ago
- Target version changed from 5.0.14 to 5.0.15
Updated by Vincent MEMBRÉ about 5 years ago
- Target version changed from 5.0.15 to 5.0.16
Updated by Alexis Mousset almost 5 years ago
- Target version changed from 5.0.16 to 5.0.17
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 5.0.17 to 5.0.18
Updated by François ARMAND over 4 years ago
- Severity set to Minor - inconvenience | misleading | easy workaround
- User visibility set to Operational - other Techniques | Rudder settings | Plugins
- Priority changed from 0 to 27
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 5.0.18 to 5.0.19
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 5.0.19 to 5.0.20
Updated by Vincent MEMBRÉ about 4 years ago
- Target version changed from 5.0.20 to 797
Updated by Benoît PECCATTE over 3 years ago
- Target version changed from 797 to 6.1.14
Updated by Vincent MEMBRÉ over 3 years ago
- Target version changed from 6.1.14 to 6.1.15
Updated by Vincent MEMBRÉ over 3 years ago
- Target version changed from 6.1.15 to 6.1.16
Updated by Vincent MEMBRÉ over 3 years ago
- Target version changed from 6.1.16 to 6.1.17
Updated by Vincent MEMBRÉ about 3 years ago
- Target version changed from 6.1.17 to 6.1.18
Updated by Vincent MEMBRÉ about 3 years ago
- Target version changed from 6.1.18 to 6.1.19
Updated by François ARMAND almost 3 years ago
- Tracker changed from Bug to Enhancement
- Severity deleted (
Minor - inconvenience | misleading | easy workaround) - Priority deleted (
27)
Updated by Vincent MEMBRÉ over 2 years ago
- Target version changed from 6.1.19 to 6.1.20
Updated by Vincent MEMBRÉ over 2 years ago
- Target version changed from 6.1.20 to 6.1.21
Updated by Vincent MEMBRÉ over 2 years ago
- Target version changed from 6.1.21 to old 6.1 issues to relocate
Updated by Alexis Mousset almost 2 years ago
- Target version changed from old 6.1 issues to relocate to 7.2.5
Updated by Vincent MEMBRÉ almost 2 years ago
- Target version changed from 7.2.5 to 7.2.6
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.6 to 7.2.7
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.7 to 7.2.8
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.8 to 7.2.9
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.9 to 7.2.10
Updated by Alexis Mousset over 1 year ago
- Target version changed from 7.2.10 to 7.2.11
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.11 to 1046
Updated by Alexis Mousset about 1 year ago
- Target version changed from 1046 to Ideas (not version specific)
Actions