Issue Details (XML | Word | Printable)

Key: GLASSFISH-18257
Type: Bug Bug
Status: Open Open
Priority: Minor Minor
Assignee: oleksiys
Reporter: benjamin_m
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.

On URI decode exception the access log is not used

Created: 26/Jan/12 10:28 AM   Updated: 26/Jan/12 12:44 PM
Component/s: grizzly-kernel
Affects Version/s: 3.1_b43
Fix Version/s: None

Time Tracking:
Not Specified


Linux x86_64

Tags: grizzly logging
Participants: benjamin_m and oleksiys

 Description  « Hide

When Grizzly throws an "Invalid URI character encoding" exception, the URI is part of the stack trace but the HTTP request info isn't saved on the access log.
This is a problem if the request URI makes it obvious that the requester is trying an exploit/vulnerability.
Without the access log used, there is no way of seeing the IP/hostname of the requester to identify the source of this attack attempt.

oleksiys added a comment - 26/Jan/12 10:35 AM

Can you pls. check if it's still the case in the latest promoted Glassfish 3.1.2


benjamin_m added a comment - 26/Jan/12 12:22 PM

After trying to replicate in a VM with the suggested build, a similar error is not thrown.
To specify, here is the stack trace of the URI decoding issue which is not being logged in the access log.

[#|2012-01-26T07:50:40.472+0100|WARNING|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=23;_ThreadName=Thread-1;|Internal Server error: /../../../../../../../../boot.ini Invalid URI character encoding
at com.sun.grizzly.util.http.HttpRequestURIDecoder.decode(
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(
at com.sun.grizzly.http.ProcessorTask.doProcess(
at com.sun.grizzly.http.ProcessorTask.process(
at com.sun.grizzly.http.DefaultProtocolFilter.execute(
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(
at com.sun.grizzly.DefaultProtocolChain.execute(
at com.sun.grizzly.DefaultProtocolChain.execute(
at com.sun.grizzly.http.HttpProtocolChain.execute(
at com.sun.grizzly.ProtocolChainContextTask.doCall(
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(
at com.sun.grizzly.util.AbstractThreadPool$

oleksiys added a comment - 26/Jan/12 12:34 PM

Just to make sure, you didn't see the record in the access.log related to the corrupted request?

benjamin_m added a comment - 26/Jan/12 12:39 PM

Because the exception is thrown on URI decode, Grizzly gives up there and nothing is written to the access log.
Which becomes very problematic when you have a rogue client trying some exploit like it's the case here.

oleksiys added a comment - 26/Jan/12 12:44 PM

I agree, just wanted to make sure this is true for the latest 3.1.2 build.