On 13/03/17 15:23, Chandrashekar H.S wrote:
> Hi All,
> We have recently upgraded tomcat from 8.0.30 to 8.5.11.
>
> The tomcat 8.5.11 rejects the requested URI with below error.
> Requested URI:
> /poc-root/resource-lists/users/tel:+918197119913/index/~~/resource-lists/list[@name="oma_pocbuddylist"]/entry[@uri="tel:+919742700996"]
There are multiple potential problems:
- '+' is often used to encode ' ' so the telephone number may end up
with a leading ' ' rather than a leading '+'
- '[' and ']' should be encoded but - for now - Tomcat will let you get
away without encoding them
- '"' must be encoded and Tomcat will no longer accept it in unencoded
form due to CVE-2016-6816.
So '"' is your immediate problem and I don't see Tomcat optionally
allowing '"' due to the risk of different servers handling it different
ways creating the possibility request / response injection.
> The server accepts the request if the DQUOTE(") is replaced with text %22 as
> mentioned below
> /poc-root/resource-lists/users/tel:+918197119913/index/~~/resource-lists/list[@name=%22oma_pocbuddylist%22]/entry[@uri=%22tel:+
> 919742700996%22]
Note that you really need to encode '+', '[' and ']' as well.
> Please help me to fix this at the server side, since the client or URI
> requester is already in production/field.
The best solution is to fix the non-spec compliance in the client. As an
interim solution if you can find a lenient reverse proxy (generally all
HTTP servers are getting stricter over time so any solution you find may
only be temporary) then you should be able to fix the URL in the reverse
proxy before it is passed to Tomcat.
Patching Tomcat locally is another option but going that route needs
very careful consideration of the risks.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
