-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: SMP 2.0
-
Fix Version/s: None
-
Component/s: Documentation
-
Labels:None
From https://lists.oasis-open.org/archives/bdxr-comment/201705/msg00000.html
Dear BDXR technical committee,
We would like to submit a change request to the OASIS SMP specifications.
In short, we propose to disallow the slash "/" and backslash "\" characters in the OASIS SMP Identifiers.
Please find below the more detailed technical background behind our proposal.
In general the OASIS SMP specifications give full freedom for characters used in Participant and Document Identifiers – the only rule is that any special characters must be URL-encoded.
So as for now, slash and backslash chars are allowed if they are url-encoded into: %2F and %5C
http://docs.oasis-open.org/bdxr/bdx-smp/v1.0/cos01/bdx-smp-v1.0-cos01.html#_Toc458092050
2.4.3 On the use of percent encoding in URLs
When any type of identifiers are used in URLs, each section between slashes MUST be percent encoded individually, i.e. section by section.
For example, this implies that for an URL in the form of «/
{identifier scheme}::
{id}/services/
{docType}», the slash literals MUST NOT be URL encoded.
Participant and Document Identifiers are transferred as request's URL Parameters.
Many web servers and libraries (i.e.: Tomcat, SpringSecurity, etc.) by default forbid using encoded slash characters in URL parameters.
This is done for security reasons, as this could open the "Directory Traversal Vulnerability":
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
As you see, implementing the OASIS's SMP specifications strictly requires (in best case) to apply a non-standard and less secure configuration to webservers, application libraries and/or reverse-proxies.
In worst case it might open the above mentioned vulnerability.
Kind regards,
Pawel Gutowski and Maarten Daniels,
CEF eDelivery team