I tried <env-var name="JETTY_PROPERTIES" value="httpConfig.requestCookieCompliance=RFC2965,jetty.httpConfig.responseCookieCompliance=RFC2965"/> in appengine-web.xml hoping that the advice in https://cloud.google.com/appengine/docs/flexible/java/dev-jetty9 would work for standard environment too. No luck. How do I set Jetty configuration in Google App Engine Standard?
The environment variable JETTY_PROPERTIES was introduced for GAE Flexible Environment.
It doesn't exist for the older GAE Standard Environment.
Depending on your runtime, you might still be on Jetty 9.3.x, in which case those properties you are attempting to set do not even exist there (they were introduced in Jetty 9.4.9.v20180320)
For GAE Flexible Runtime see ...
See: https://github.com/GoogleCloudPlatform/jetty-runtime
The bash script responsible for reading that <env-var> is 50-jetty.bash -
https://github.com/GoogleCloudPlatform/jetty-runtime/blob/master/jetty9/src/main/docker/50-jetty.bash#L36-L38
The behavior of Cookie Compliance in Jetty codebase
⚠️ There is no RFC2109 support, as it contains far too many security issues to be safe.
RFC6265 - Default Behavior
Generation
(eg: Server-side Set-Cookie response header, or Client-side Cookie request header)
Name must be valid per RFC2616 token rules (US-ASCII, 7-bit, excluding control characters, and separators)
Value must be valid per RFC6265 value rules (US-ASCII, 7-bit, excluding control characters, whitespace, DQUOTE ", comma ,, semicolon ;, and backslash \)
Does not generate Version=# entry
Does not generate Comment= entry
Does not generate "$" entries (like $Version, $Domain, $Port, and $Version entries)
Generates the following entries
Path
Domain
Expires
Max-Age
Secure
HttpOnly
SameSite
Parsing
(eg: Server-side Cookie request header, or Client-side Set-Cookie response header)
Lenient parser based on industry recommendations for safe Cookie parsing behaviors - RFC6265 - Example parsing behavior: CookieCutterLenientTest
Name must be valid per RFC2616 token rules (US-ASCII, 7-bit, excluding control characters, and separators) - will REJECT cookie if fails (meaning the Cookie doesn't show up in resulting Cookie list)
Value must be valid per RFC6265 value rules (US-ASCII, 7-bit, excluding control characters, whitespace, DQUOTE ", comma ,, semicolon ;, and backslash \) - will REJECT cookie if fails
Value allows DQUOTE during parsing, but it must be supported by matching DQUOTE at end of value. - will REJECT cookie if fails (meaning the Cookie doesn't show up in resulting Cookie list)
Ignores "$" named entries (like $Version, $Domain, $Port, and $Version entries)
Does not allow more then 1 cookie declaration per Cookie header (the ancient "comma delim" approach from HTTP/1.0 days)
RFC2965 - Alternate Behavior
Generation
(eg: Server-side Set-Cookie response header, or Client-side Cookie request header)
Name must be valid per RFC2109 rules (US-ASCII, 7-bit, excluding control characters, delimiters, DQUOTE, comma, semi-colon, backslash, space, and horizontal tab)
Name will be surrounded by DQUOTE if delimiters are present. (⚠️ if delimiters are present here most modern browsers will reject this entire cookie)
Value must be valid per RFC2109 value rules (US-ASCII, 7-bit, excluding control characters, delimiters, DQUOTE, comma, semi-colon, backslash, space, and horizontal tab)
Value will be surrounded by DQUOTE if delimiters are present. (⚠️ if delimiters are present here most modern browsers will reject this entire cookie)
Does not generate "$" entries (like $Version, $Domain, $Port, and $Version entries)
⚠️ Does not generate SameSite entry
Generates the following entries
Version
Path
Domain
Expires
Max-Age
Secure
HttpOnly
Comment
Parsing
(eg: Server-side Cookie request header, or Client-side Set-Cookie response header)
Name must be valid per RFC2109 token rules (US-ASCII, 7-bit, excluding control characters, and separators) - any violation will result in unpredictable results (like splitting a cookie at the wrong delimiter)
Value must be valid per RFC6265 value rules (US-ASCII, 7-bit, excluding control characters, whitespace, DQUOTE ", comma ,, semicolon ;, and backslash \) - any violation will result in unpredictable results (like splitting a cookie at the wrong delimiter)
Value allows DQUOTE during parsing, but it must be supported by matching DQUOTE at end of value. - any violation will result in unpredictable results (like splitting a cookie at the wrong delimiter)
Parses "$" named entries (like $Version, $Domain, $Port, and $Version entries)
Note: $Port is reported in the Comment of the resulting parsed Cookie.
Allows more then 1 cookie declaration per Cookie header (the ancient "comma delim" approach from HTTP/1.0 days)
⚠️ Does not parse SameSite entry
Related
I'm using the following: https://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/util/DN.html in my application.
For the creation of the DN object, I need to put dnString, that must adhere to the syntax described in RFC 2253.
My DN contains: "\" and "," characters (also "\," both right after each other).
I could not find any site that explains exactly how to get a valid DN for RFC 2253. I found:
https://ldapwiki.com/wiki/RFC%202253
https://www.rfc-editor.org/rfc/pdfrfc/rfc2253.txt.pdf
Both mention that "," and "\" are special characters, but none states how to escape it correctly.
How can I get the valid DN with these values?
Page 4 of RFC 2253:
If a character to be escaped is one of the list shown above, then it is prefixed by a backslash (’\’ ASCII 92).
So an escaped comma should be \, and an escaped backslash should be \\.
A comma is a separator in a DN. For example:
cn=admin,ou=marketing,o=corporation
so it needs to be escaped only when it is not used as a separator, like this:
cn=Smith\, John,ou=marketing,o=corporation
Active Directory will escape it for you if you create an object with a CN that has a comma.
The backslash is a special character because it's used to escape other characters. So if you are not using it for that purpose, it needs to be escaped using itself:
cn=North\\South America,ou=marketing,o=corporation
Although in that example I'd use a forward slash ("North/South America"), which brings up another point (unrelated to your immediate problem, but worth mentioning): the forward slash is not a special character in DNs, but they are in LDAP paths. So if you had a DN like this:
cn=North/South America,ou=marketing,o=corporation
Then if you need to use that in an LDAP path, you can't just drop that in:
LDAP://cn=North/South America,ou=marketing,o=corporation
because / is a separator character, so it would think that the DN is just cn=North. In those cases, you need to escape that with a backslash too:
LDAP://cn=North\/South America,ou=marketing,o=corporation
But only when you use it in an LDAP path.
I have read in many pots that malformed URI error is comes due to the fact that angularjs override the encodeURIComponent with encodeUriQuery.
Is there any way I can override encodeUriQuery in my controller or component without changing angular file?
Both encodeURIComponent and angular.$$encodeUriQuery properly encode % characters:
console.log(angular.$$encodeUriQuery("%"));
console.log(encodeURIComponent("%"));
<script src="//unpkg.com/angular/angular.js"></script>
The % character is disallowed and should never appear in a URL/URI.
There are some characters that are disallowed and should never appear in a URL/URI, reserved characters (described below), and other characters that may cause problems in some cases, but are marked as "unwise" or "unsafe". Explanations for why the characters are restricted are clearly spelled out in RFC-1738 (URLs) and RFC-2396 (URIs). Note the newer RFC-3986 (update to RFC-1738) defines the construction of what characters are allowed in a given context but the older spec offers a simpler and more general description of which characters are not allowed with the following rules.
Excluded US-ASCII Characters disallowed within the URI syntax:
control = <US-ASCII coded characters 00-1F and 7F hexadecimal>
space = <US-ASCII coded character 20 hexadecimal>
delims = "<" | ">" | "#" | "%" | <">
The character "#" is excluded because it is used to delimit a URI from a fragment identifier. The percent character "%" is excluded because it is used for the encoding of escaped characters. In other words, the "#" and "%" are reserved characters that must be used in a specific context.
— Which characters make a URL invalid? — this answer
For example: '">sometext<.txt
I am currently trying to save a file in that form, so If I upload the file on a website I'm hopping to find the XSS bug.
Windows (but not necessarily NTFS) prohibits the following characters in filenames: \/:*?"<>|, which precludes the characters necessary for most XSS attacks (<>"). Windows also disallows reserved DOS device file-names like COM, NUL, etc (though it is possible to create a file with that name, it cannot be done using the normal Win32 filesystem API).
Linux (and UNIX and POSIX in general) is more permissive: every character is allowed in a filename except for / (the directory separator character) and \0 (NULL, a raw zero).
I imagine an insecure web-application that saves uploaded files with their filenames intact and without having sanitized filenames probably will succumb to an XSS attack - unless they're also careful to never render HTML raw.
Windows prohibits these characters. But you could try Azure Blob Storage
I have an array containing a list of backup files, I want to go through and strip off the leading /path/to/file/ and the trailing _date_stamp.tar.gz My code works to strip off the leading pathtofile and if I set it to just strip off the .tar.gz it works, but if I try to strip the date it fails. So as an example I want to take:
/path/to/file/backup_domain1.com_02_16_2015.tar.gz
and be left with:
domain1.com
This removed from start: /path/to/file/backup_
This removed from end: _02_16_2015.tar.gz but obviously as they are date stamped then the integers will vary.
My code snippet:
# strip leading path/to/file :
$bubasedir=/path/to/file
buarray=( "${buarray[#]#"$bubasedir/backup_"}" )
buarray=( "${buarray[#]%".tar.gz"}" )
This strips .tar.gz but I need to strip the date as well.
Use an expression which matches the date expression, just like you do for the prefix. Assuming the domain name cannot contain an underscore (as per the DNS spec, but sometimes violated for internal domains and special domains like _dkim),
buarray=( "${buarray[#]%%_*}" )
%% says to trim the longest possible match and _* matches everything starting from an underscore. ("${buarray[#]%_*}" would trim from the last underscore.)
I want to write script for internal issue tracking system, integrated with ClearCase, that checks activity name (typed by user) for illegal characters. Unfortunatly, I can't find list of characters, allowed by ClearCase. Does anybody know where to get it?
UPD: I'm looking for a link to a document, that specifies the allowed characters (or says that all characters are allowed).
Regarding mkactivity (the command used for creating activity), there is:
no special limitation for the activity headline
follow the same limitations than any other clearcase object ID name (see below):
cmd-context mkactivity -headline "Create directories" create_directories
Created activity "create_directories".
Set activity "create_directories" in view "webo_integ".
alt text http://publib.boulder.ibm.com/infocenter/cchelp/v7r0m0/topic/com.ibm.rational.clearcase.hlp.doc/cc_main/images/activity.gif
The cleartool man page about arguments in cleartool command is clear:
In object-creation commands, you must compose the object name according to these rules:
It must contain only letters, digits, and the special characters underscore (_), period (.), and hyphen (-).
A hyphen cannot be used as the first character of a name.
It must not be an integer; this restriction includes octal and hexadecimal integer values. However, noninteger names are allowed.
It must not be one of the special names “ . “, “ .. “, or “ ... “.
cleartool supports object names of up to 1024 bytes in length, although Windows imposes a limit of 260 bytes on object names.