Issues » Broken Access Control — Normalization Filter

Issue: SI-68
Date: Jun 30, 2023, 11:00:00 AM
Severity: Medium
Requires Admin Access: No
Fix Version: 23.06+, LTS 22.03.7+, LTS 23.01.4+
Credit: Internal Security Team

In dotCMS, the NormalizationFilter is run on every request to strip invalid characters from incoming URLs. The default list of invalid characters to strip failed to include double slashes (//), which allows a URL to be constructed that can circumvent XSS and access controls built into dotCMS. An example of an affected URL is; this URL should not be externally accessible and should result in a 404/Not Found response.  The "default" list of invalid URL characters can be found here:

Affected dotCMS versions:

  • 5.3.8
  • 21.06
  • 22.03
  • 23.01

URLs that contain double slashes can be blocked at an upstream firewall / WAF or can be blocked by using dotCMS config variables.  In dotCMS, the default list of invalid characters can be overridden by passing an environmental variable DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS that adds // to a comma separated list of invalid strings, e.g.:


It is also possible to pass an environmental variable DOT_URI_NORMALIZATION_FORBIDDEN_REGEX regex that can be tested for and blocked for more fine grained control.  For example, to block //html.* you could set:


  • CVE-2023-3042