Thanks for the quick response Mark. That makes sense. I'll let the DHIS2 devs know they should stop using square brackets.
Cheers, - Jasper On Tue, Oct 30, 2018 at 10:11 AM Mark Thomas <ma...@apache.org> wrote: > On 30/10/18 09:53, Jasper Timm wrote: > > Hi all, > > > > I'm facing an issue handling square brackets which seems to have been > > introduced sometime between 7.0.87 and 7.0.90. > > > > I'm running from the docker hub image of tomcat, previously > 'tomcat:7-jre8' > > but after that was updated to 7.0.90 I've pinned it back to > > 'tomcat:7.0.86-jre8' where I no longer seem to face the issue. > > > > I'm running a .war file of some open source software called DHIS2 > (v2.27). > > When running 7.0.90, if I send requests of the following form: > > > > http://<host>/api/organisationUnits?fields=parent[id] > > > > I get the following error in the logs: > > > > Oct 29, 2018 5:04:01 PM org.apache.coyote.http11.AbstractHttp11Processor > > process > > INFO: Error parsing HTTP request header > > Note: further occurrences of HTTP header parsing errors will be logged at > > DEBUG level. > > java.lang.IllegalArgumentException: Invalid character found in the > request > > target. The valid characters are defined in RFC 7230 and RFC 3986 > > at > > > org.apache.coyote.http11.InternalAprInputBuffer.parseRequestLine(InternalAprInputBuffer.java:240) > > at > > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1049) > > at > > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) > > at > > org.apache.tomcat.util.net > .AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2492) > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > at > > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:748) > > > > If I URL encode the square brackets the request seems to be fine. > > As expected. As per RFC 7230 and RFC 3986 both '[' and ']' must be > encoded if used in the path or query string in a URI. > > Request line parsing (including URI validation) was made more spec > compliant as a result of CVE-2016-6816 to reduce the risk of similar > vulnerabilities. > > You can relax the validation with relaxedPathChars and/or > relaxedQueryChars on the Connector but fixing whatever is generating the > invalid URIs is going to be a better long term solution. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Jasper Timm Lead Software Developer <http://www.ehealthafrica.org/> eHealth Africa 4A Renner Drive Off Wilkinson Road (behind Monoprix Supermarket) Freetown, Sierra Leone mobile +232 99891119 -- <https://web.facebook.com/EHealthAfrica> <https://twitter.com/eHealth_africa> <https://www.linkedin.com/company/1449060/> <https://www.instagram.com/ehealthafrica/> <https://www.youtube.com/channel/UCcgM_HhTcg5M9Ji3Of6QmUg>
