Java Agents 2023.11.2

Control Handling of Path Traversal Attempts

When set to true any incoming URL containing a path segment of .. will cause the incoming request to be rejected with an HTTP 400 response.

Note that requests will be rejected if any path parameter contains .. anywhere, even though path parameters do not take part in URI normalisation.

When the property Control Handling of the URL Encoded Sequence %2e is set to ACCEPT_AND_INTERPRET, path segments or path parameters containing .%2e, %2e. and %2e%2e will also be rejected.

Note that this will NOT affect access to resources such as index..html, for example.

Property name

org.forgerock.agents.reject.path.traversal.attempts.enabled

Aliases

org.forgerock.agents.reject.path.traversal.attempts.enabled
  Introduced in Java Agent 2023.11.2

Function

Configure behaviour

Type

Boolean: true returns true; all other strings return false.

Default

false

Bootstrap property

No

Required property

No

Restart required

No

Local configuration file

AgentConfig.properties