Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
13.4.7, 13.10.3
-
None
-
Apache Tomcat/9.0.31 (Debian)
-
Unknown
-
Description
Resulted from an automated security audit tool, I was presented with an URL containing encoded backslashes that caused a 500 error on XWiki running on tomcat.
The error can be reproduced on xwiki.org as well:
https://www.xwiki.org/xwiki/bin/view/Main/c%3a%5cboot.ini
Note that refreshing the browser window to access it a second time results in the backslash being converted to a forward slash and seeing an XWiki document not found "nice" error. This behavior is explained by:
ALLOW_BACKSLASH=true has the side effect of converting \ into /, so there is no way to pass a backslash in an URI path to Tomcat
Tomcat (on the machine I tested and AFAIK on xwiki.org as well) is configured with both -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true and -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true.
At the same time, it is quite well known that backslashes and tomcat do not go well hand in hand. However, XWiki should be able to fail more gracefully (i.e. handle the possible NPE at that point) and not expose internal information (like stacktrace and software versions) like the standard tomcat error handler does.
HTTP Status 500 – Internal Server Error Type Exception Report Message Failed to execute the action with name [view] Description The server encountered an unexpected condition that prevented it from fulfilling the request. Exception javax.servlet.ServletException: Failed to execute the action with name [view] com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:117) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122) org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208) org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111) org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132) Root Cause java.lang.NullPointerException com.xpn.xwiki.web.XWikiAction.redirectSpaceURLs(XWikiAction.java:1166) com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:459) com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:289) com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:115) javax.servlet.http.HttpServlet.service(HttpServlet.java:741) com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122) org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63) org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208) org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111) org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132) Note The full stack trace of the root cause is available in the server logs. Apache Tomcat/9.0.31 (Debian)
The NPE occurs at this line https://github.com/xwiki/xwiki-platform/blob/xwiki-platform-13.4.7/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/XWikiAction.java#L1125.