I perceive the world: request.getRequestURI()

In Webtop 6.7SP2P05 EMC made some weird changes:

these changes completely removes usefulness of “componentlist” component:

after clicking on any component:

Initially I thought that this is a new security feature, but webtop configuration files should not contain any environment-sensitive information, otherwise webtop deployment gets into a mess. After some research I have found that webtop performs checks using following way:

HttpServletRequest request;
HttpServletResponse response;
// these regexps come from web.xml
Pattern staticPages = Pattern.compile(
        "(\\.bmp|\\.css|\\.htm|\\.html|\\.gif|\\.jar|\\.jpeg|\\.jpg|\\.js|\\.properties|\\.xml|\\.png)$",
        Pattern.CASE_INSENSITIVE);
Pattern configs = Pattern.compile("/app\\.xml|/config/.*\\.xml", Pattern.CASE_INSENSITIVE);
if (staticPages.matcher(request.getRequestURI()).find()) {
    if (configs.matcher(request.getRequestURI()).find()) {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, 
                "The URL is unauthorized in WDK");
    }
}

What does getRequestURI() method return? Documentation:

Actually, this part of documentation is not clear and RFC 1808 comes to the rescue:

RFC 1808           Relative Uniform Resource Locators          June 1995


      <scheme>://<net_loc>/<path>;<params>?<query>#<fragment>

   each of which, except <scheme>, may be absent from a particular URL.
   These components are defined as follows (a complete BNF is provided
   in Section 2.2):

      scheme ":"   ::= scheme name, as per Section 2.1 of RFC 1738 [2].

      "//" net_loc ::= network location and login information, as per
                       Section 3.1 of RFC 1738 [2].

      "/" path     ::= URL path, as per Section 3.1 of RFC 1738 [2].

      ";" params   ::= object parameters (e.g., ";type=a" as in
                       Section 3.2.2 of RFC 1738 [2]).

      "?" query    ::= query information, as per Section 3.3 of
                       RFC 1738 [2].

      "#" fragment ::= fragment identifier.

Now:

One thought on “I perceive the world: request.getRequestURI()

  1. Pingback: Security through guessing | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s