IZ80871: REPLACING THE ILLEGAL UTF8 BYTE SEQUENCES WITH \UFFFD.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: Behaviour difference between IBM and Sun while
    handling the illegal UTF8 byte sequences. In case of IBM,illegal
    byte sequences used to be skipped while in case of SUN, it use
    to get replcaed by \uFFFD's.
    .
    Stack Trace: N/A
    .
    1. Replacing any character in the url path with a overly long
    UTF-8 equivalent. If you have a valid page
    "http://host/ctx/index.html" requesting
    "http://www/ctx/index%c0%aehtml" will result in the same page.
    
    2. Adding an invalid UTF-8 characters in the url path are
    encoded to the empty sting.
    '../index.%c1%bfj%c1%bfs%c1%bfp%c1%bf' will decode this to
    ".../index.jsp".
    
    As per customer, this works with or without the plugin between
    you and WebSphere. The browser may alter the request so if it
    doesn't work verify with a sniffer (tcpdump, wireshark) that the
    url actually sent in the request was correct. The vulnerability
    is when .JSPs are being secured by filtering. In the examples
    provided, both urls would make it past filters.
    

Local fix

  • N/A
    

Problem summary

  • The problem seems to be happening the way our code use to handle
    the illegal byte sequences. It use to get ignored/skipped
    whenever the input is MalformedInput.
    

Problem conclusion

  • Introduced a new utility class to address the replacement of
    MalformedInput with \uFFFD's.
    Also, introduced a new system property
    "com.ibm.IgnoreMalformedInput". By default the value of this
    property is false i.e. the MalformedInput will be replaced by
    \uFFFD's.
    If customer wishes to revert to the old behaviour of getting the
    MalformedInput skipped, then the property needs to be set to
    true.
    .
    This defect will be fixed in:
    6.0.0 SR9
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ80871

  • Reported component name

    JAVA CLASS LIBS

  • Reported component ID

    620700130

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-07-22

  • Closed date

    2010-07-22

  • Last modified date

    2010-07-22

  • APAR is sysrouted FROM one or more of the following:

    PM18989

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA CLASS LIBS

  • Fixed component ID

    620700130

Applicable component levels

  • R600 PSN

       



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Runtimes for Java Technology
Java Class Libraries

Software version:

6.0

Reference #:

IZ80871

Modified date:

2010-07-22

Translate my page

Machine Translation

Content navigation