Ambiguous URI legacy compliance mode

[gregw]

Jetty version
9.4.37

Description
Prior to 9.4.37, URIs with segments of %2e%2e we treated as 400 bad requests. However URIs with %2f characters were not.
In 9.4.37 both %2e%2e and %2f are treated as ambiguous and thus as 400 bad requests, unless a compliance mode is set which allows them both.

Thus there is now no compliance mode that preserves the previous behaviour of allowing %2f but forbidding a segment of %2e%2e

We need 3 modes:

• Allow all ambiguous segments (the app will handle either undecoded path or doesn't care about ambiguity).
• Legacy mode that allows %2f but not a segment of %2e%2e
• default mode that both %2f and a segment of %2e%2e are not allowed.

[joakime]

What if someone wants to allow %2e%2e but not allow %2f ?

how about an individual configuration for each?

• ambiguous-2f / ambiguous-path-delim
• ambiguous-2e2e / ambiguous-path-parent
• ambiguous-2e / ambiguous-path-self

That way people can tweak them accordingly, without the need for complex modes?

[cstamas]

FTR, %2f is a MUST for npm registries, as "scoped packages" are using it. With latest Jetty we have now:

GET http://localhost:45071/@scoped%2ftest HTTP/1.1 -> HTTP/1.1 400 Ambiguous segment in URI

Reference: npm/npm#11738

[gregw]

For jetty-9.4.38 we are reverting to the previous behaviour. Specifically:

• %2f in segments is allowed
• %2e%2e and variants are allowed.
• ..; segments are not allowed.

This behaviour can be configured with HttpCompliance and there will is a new predefined HttpCompliance.RFC7230_NO_AMBIGUOUS_URIS mode

For jetty-10 and beyond, the default is changed to disallow all three. It is now configurable in a new UriCompliance class that can be set on HttpConfiguration