Re: java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

Mon, 13 Apr 2020 12:13:51 -0700

Thanks Mark. Including the request line (encoded if necessary to avoid issues with control characters) should definitely help. Getting through all the way to AccessLogValve would also help, but the most important bit is improving the error message. 

*Manuel Dominguez Sarmiento*

On 13/04/2020 14:04, Mark Thomas wrote:

On 13/04/2020 17:25, Manuel Dominguez Sarmiento wrote:

Hi, we're reviewing our logs, are we are ocasionally getting the
following stack traces:

09-Apr-2020 11:29:19.489 INFO [tomcat-http-81]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
request header
  Note: further occurrences of HTTP request parsing errors will be logged
at DEBUG level.
         java.lang.IllegalArgumentException: Invalid character found in
the request target. The valid characters are defined in RFC 7230 and RFC
3986
                 at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:488)

<snip/>


We understand this is a consequence of malformed requests, but we cannot
seem to pinpoint the cause. It seems these are clients outside of our
control (our servers are public-facing). The AccessLogValve does not log
these requests, so we cannot figure out what the request line is. Is
there any way logging could be improved in order to find out what is
causing this?

The stack trace indicates the problem is in the query string if that helps.

Yes, I think we should be able to do something here. The tricky part is
that as soon as an invalid character is detected we have to be a lot
more careful as the payload could be malicious. I'm not sure if we'll be
able to get anything into the access log but it should be possible to
improve the error message and include the problematic request line in
some form. You probably won't see the exact request line as we'll need
to encoded things like control characters etc.

I'll look at this for the May round of releases.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to