PM18989: REPLACING THE ILLEGAL UTF8 BYTE SEQUENCES WITH \UFFFD.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: Behaviour difference between IBM and Sun while
    handling the illegal UTF8 byte sequences. In case of IBM,illegal
    byte sequences used to be skipped while in case of SUN, it use
    to get replcaed by \uFFFD's.
    .
    Stack Trace: N/A
    .
    1. Replacing any character in the url path with a overly long
    UTF-8 equivalent. If you have a valid page
    "http://host/ctx/index.html" requesting
    "http://www/ctx/index%c0%aehtml" will result in the same page.
    
    2. Adding an invalid UTF-8 characters in the url path are
    encoded to the empty sting.
    '../index.%c1%bfj%c1%bfs%c1%bfp%c1%bf' will decode this to
    ".../index.jsp".
    
    As per customer, this works with or without the plugin between
    you and WebSphere. The browser may alter the request so if it
    doesn't work verify with a sniffer (tcpdump, wireshark) that the
    url actually sent in the request was correct. The vulnerability
    is when .JSPs are being secured by filtering. In the examples
    provided, both urls would make it past filters.
    

Local fix

  • N/A
    

Problem summary

  • The problem seems to be happening the way our code use to handle
    the illegal byte sequences. It use to get ignored/skipped
    whenever the input is MalformedInput.
    

Problem conclusion

  • Introduced a new utility class to address the replacement of
    MalformedInput with \uFFFD's.
    Also, introduced a new system property
    "com.ibm.IgnoreMalformedInput". By default the value of this
    property is false i.e. the MalformedInput will be replaced by
    \uFFFD's.
    If customer wishes to revert to the old behaviour of getting the
    MalformedInput skipped, then the property needs to be set to
    true.
    .
    This defect will be fixed in:
    1.4.2 SR13 FP8
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM18989

  • Reported component name

    JAVA(1.3/1.4 CO

  • Reported component ID

    5648C9800

  • Reported release

    42A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-07-22

  • Closed date

    2010-07-22

  • Last modified date

    2012-01-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IZ80870 IZ80871

Fix information

  • Fixed component name

    JAVA(1.3/1.4 CO

  • Fixed component ID

    5648C9800

Applicable component levels

  • R420 PSN

       UP

  • R42A PSN

       UP

  • R42L PSN

       UP

  • R42W PSN

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

z/OS family

Software version:

1.4.2

Reference #:

PM18989

Modified date:

2012-01-11

Translate my page

Machine Translation

Content navigation