Tomcat 9.0.54 由于“<”而拒绝我的 URL和“>”符号。当采用百分比编码形式“%3C”和“%3E”时,它也会拒绝它。我还尝试将 relaxedQueryChars="<>" 添加到 server.xml 中的连接器,但无济于事。
运行 Bloomreach CMS 时,Tomcat 实例由 Cargo 启动。
URL 如下:
http://localhost:8080/site/api/documents?_expr=(hippostdpubwf:lastModificationDate%3Exs:dateTime('2021-04-09T20:56:18.496%2B02:00'))
将 %3E 更改为“=” (%3D) 使 Tomcat 接受该 URL。
当启动默认 Tomcat docker 时,不存在此问题。
有没有人遇到过类似的问题,或者可以向我展示可能解决此问题的方向?
编辑:
替换“>”与“gt”将导致正确的查询,而不必干扰 Jeroen 提到的 XSSUrlFilter。
Tomcat 9.0.54 rejects my URL because of the "<" and ">" symbols. It rejects it also when in percent encoded forms "%3C" and "%3E". I also tried adding relaxedQueryChars="<>" to the Connector in the server.xml but without avail.
The Tomcat instance is spun up by Cargo when running the Bloomreach CMS.
The URL is as follows:
http://localhost:8080/site/api/documents?_expr=(hippostdpubwf:lastModificationDate%3Exs:dateTime('2021-04-09T20:56:18.496%2B02:00'))
Changing the %3E to a "=" (%3D) makes the URL accepted by Tomcat.
When spinning up a default Tomcat docker, this issue is not present.
Has anyone had a similar issue or could show me in a direction which might fix this issue?
EDIT:
Replacing ">" with "gt" will result in a proper query without having to interfere with the XSSUrlFilter that Jeroen mentioned.
发布评论
评论(1)
看起来您正在访问网站 webapp 的 web.xml 中默认存在的 org.hippoecm.hst.container.XSSUrlFilter 。
它是一个简单的、可扩展的过滤器,可以防止基本的脚本攻击。
问候,
Jeroen
PS,您可能喜欢community.bloomreach.com 上的论坛
Looks like you're hitting the org.hippoecm.hst.container.XSSUrlFilter that is present by default in the web.xml of the site webapp.
It's a simple, extendable filter to prevent basic scripting attacks.
Regards,
Jeroen
PS you might like the forums at community.bloomreach.com