If there is a slash "/" or "\" character in the group or username in Bamboo, permission assignment fails
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When a user or group name contains a slash "/" or "\" character, Bamboo would fail with an "An unexpected error has occurred" message when managing permissions.
Environment
Bamboo 7, 8
Diagnosis
When making changes to user or group assignments, Bamboo uses POSTs the changes to its API and receives an HTTP Status 400 - Bad Request - Invalid URI: noSlash error.
<!doctype html>
<html lang="en">
<head>
<title>HTTP Status 400 – Bad Request</title>
<style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>
</head>
<body>
<h1>HTTP Status 400 – Bad Request</h1>
<hr class="line" />
<p>
<b>Type</b> Status Report
</p>
<p>
<b>Message</b> Invalid URI: noSlash
</p>
<p>
<b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
</p>
<hr class="line" />
<h3>Apache Tomcat/8.5.70</h3>
</body>
</html>Cause
Due to security reasons, Apache Tomcat will reject the use of the encoded slash character by default.
Solution
Do not use usernames and groups that contain slashes in Bamboo
Workaround
It is strongly recommended that you do not set this option when running Bamboo in production as it introduces a security risk. When Tomcat is deployed behind a reverse proxy, this setting can expose you to a directory traversal security vulnerability (CVE-2007-0450); see Apache Tomcat 6.x Vulnerabilities for further information. Therefore, it is preferable to avoid usernames and groups that contain slashes.
Enable the encoded slash characters by adding the following two options to your Bamboo system properties and restart Bamboo.
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true