Accessing Any File With A Percent Symbol "%" In The Name Results in a 500 Internal Server Error

  • 7024753
  • 24-Jul-2020
  • 24-Jul-2020

Environment

Vibe 4.0.7
Vibe 4.0.7 Patch 1

Situation

Trying to access any file with a percent symbol "%" in the filename results in the following 500 internal error:

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "%25"
org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
org.springframework.web.multipart.support.MultipartFilter.doFilterInternal(MultipartFilter.java:122)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.kablink.teaming.asmodule.servlet.filter.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:127)
org.kablink.teaming.asmodule.servlet.filter.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:127)
org.kablink.teaming.web.servlet.filter.DefaultCharacterEncodingFilter.doFilter(DefaultCharacterEncodingFilter.java:60)
Note The full stack trace of the root cause is available in the server logs.

Resolution

This has been reported and has been confirmed a bug. As of now there isn't a fix yet. However, the developers are working to get this resolved.

Cause

In Vibe 4.0.7 the Spring Security was updated from 4.1 to 4.2 and this appears to be related to that. Spring security has a built in firewall that attempts to filter out suspicious requests. In 4.2 they changed the default firewall implementation fromDefaultHttpFirewall to StrictHttpFirewall, which rejects requests that include a URL-encoded percent sign (%25).