IZ80870: REPLACING THE ILLEGAL UTF8 BYTE SEQUENCES WITH \UFFFD.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: Behaviour difference between IBM and Sun while
    handling the illegal UTF8 byte sequences. In case of IBM,illegal
    byte sequences used to be skipped while in case of SUN, it use
    to get replcaed by \uFFFD's.
    .
    Stack Trace: N/A
    .
    1. Replacing any character in the url path with a overly long
    UTF-8 equivalent. If you have a valid page
    "http://host/ctx/index.html" requesting
    "http://www/ctx/index%c0%aehtml" will result in the same page.
    
    2. Adding an invalid UTF-8 characters in the url path are
    encoded to the empty sting.
    '../index.%c1%bfj%c1%bfs%c1%bfp%c1%bf' will decode this to
    ".../index.jsp".
    
    As per customer, this works with or without the plugin between
    you and WebSphere. The browser may alter the request so if it
    doesn't work verify with a sniffer (tcpdump, wireshark) that the
    url actually sent in the request was correct. The vulnerability
    is when .JSPs are being secured by filtering. In the examples
    provided, both urls would make it past filters.
    

Local fix

  • N/A
    

Problem summary

  • The problem seems to be happening the way our code use to handle
    the illegal byte sequences. It use to get ignored/skipped
    whenever the input is MalformedInput.
    

Problem conclusion

  • The feature introduces a new utility class to replace Malformed
    input with \uFFFD's.
    .
    Also, introduced a new system property
    "com.ibm.IgnoreMalformedInput" to revert back to the old JDK
    behavior.
    .
    By default the value of this property is false i.e. the
    Malformed input will be replaced by \uFFFD's.
    .
    If you wish to revert to the old behaviour of ignoring the
    malformed input, then the property needs to be set to true.
    
    This defect will be fixed in:
    5.0.0 SR12
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ80870

  • Reported component name

    JAVA 5 CLASS LI

  • Reported component ID

    620500130

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-07-22

  • Closed date

    2010-07-22

  • Last modified date

    2012-01-11

  • APAR is sysrouted FROM one or more of the following:

    PM18989

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA 5 CLASS LI

  • Fixed component ID

    620500130

Applicable component levels

  • R500 PSN

       



Rate this page:

(0 users)Average rating

Document information


More support for:

Runtimes for Java Technology
Java Class Libraries

Software version:

5.0

Reference #:

IZ80870

Modified date:

2012-01-11

Translate my page

Machine Translation

Content navigation