dev@glassfish.java.net

Re: REST API and slashes in resource names

From: Jason Lee <jason.d.lee_at_oracle.com>
Date: Tue, 01 Jun 2010 11:27:15 -0500

We plan to bring this up this afternoon during the admin iteam meeting,
but Ken and I discussed this briefly this morning during the console
meeting. Are we sure we'll have a security issue if we enable the /
encoding in Grizzly? A single URL encoding would be much simpler and
probably more intuitive than double encoding or some special syntax for
the resource IDs.

On 6/1/10 9:49 AM, Bruno Harbulot wrote:
> Hi,
>
> On 01/06/10 11:47, Andreas Loew wrote:
>> Hi Paul,
>>
>> Paul Sandoz schrieb:
>>
>>>> Not quite: '{' and '}' are just "unsafe" characters,
>>>
>>> They are disallowed in the URI syntax:
>>>
>>> http://greenbytes.de/tech/webdav/rfc2396.html#rfc.section.2.4.3
>>
>> while I don't want to argue with you about the subtleties of the fact
>> that curly brackets are *not* part of *neither* "reserved" *nor*
>> "unreserved" characters, it seems to me that the following would be
>> fully sanctioned by the spec:
>>
>> .../management/domain/resources/admin-object-resource/(jndi/foo)
>>
>> because "normal" brackets are "unreserved" characters: "Data characters
>> that are allowed in a URI but do not have a reserved purpose are called
>> unreserved."
>>
>> So how about wrapping resource values that contain "reserved" characters
>> by a pair of (unreserved) "normal" brackets '(' and ')'?
>
> I'm not sure whether you want to take more recent RFCs into
> consideration, but in RFC 3986, which obsoletes RFC 2389, parentheses
> are reserved characters:
>
> http://tools.ietf.org/html/rfc3986#section-2.2
>
> Section 2.4 is probably relevant to this discussion too (especially
> its last sentence).
>
> As a side note, just in case you're using them,
> java.net.URLEncoder/Decoder "[contain] static methods for converting a
> String to the application/x-www-form-urlencoded MIME format" (see
> Javadoc), which may not be intuitive w.r.t. the class name: it's more
> relevant to the query part, but is likely not to produce the expected
> result if the full URI is passed (space is encoded as '+' as far as I
> remember).
>
>
> Best wishes,
>
> Bruno.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
> 


-- 
Jason Lee
Senior Member of Technical Staff
GlassFish Administration Console
Oracle Corporation
Phone x31197/+1 405-343-1964
Blog http://blogs.steeplesoft.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.