On 15/11/2016 22:36, Zdeněk Henek wrote:
> Hi,
>
> we are using tomcat 8.0.30 without problems.
>
> I have tested upgrade to 8.0.38 today and I got this error
> More env. details JDK 8, tested on both Linux and Windows using different
> JDK 8 updates (71, 111).
>
> 15-Nov-2016 17:14:51.189 INFO [http-nio-8080-exec-2]
> org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP
> request header
> Note: further occurrences of HTTP header parsing errors will be logged at
> DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in the request
> target. The valid characters are defined in RFC 7230 and RFC 3986
<snip/>
> The parameter in the request is this
>
> /list?criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
Neither '{' nor '}' are permitted characters in a URI and that includes
the query string.
> Looks like this commit caused the exception
> https://github.com/apache/tomcat80/commit/779d5d34e68e50d2f721897050b147106992f566
>
> The commit message says:
> Add additional checks for valid characters to the HTTP request line
> parsing so invalid request lines are rejected sooner.
>
> We don't get any error in 8.0.30 using same request.
>
> The state in 8.0.30 was bug or 8.0.38 should process parameter
>
> criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
>
> ?
Technically, 8.0.30 should have rejected the request but didn't.
As per the commit message, Tomcat has tightened up validation of
incoming HTTP requests to reject any that are not specification compliant.
For the query string, the relevant extracts from RFC 3986 are:
query = *( pchar / "/" / "?" )
pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
Hence, '{' and '}' are rejected.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
