On 26/05/2021 09:47, Nada Mahmoud Ahmed Aboueata wrote:
Dear Mark,
Thanks for your reply,
I have tried to address the issue of invalid characters by adding
relaxedQueryChars parameter in the connector placed in server.xml , but still I
am getting this exception!!
relaxedQueryChars="[]|{}^\`"<>"
You may want to look at relaxedPathChars as well.
Please note that we didn't face this issue with tomcat 7.x, and we start facing
the issue with tomcat 8.x. Is this issue is addressed by current releases of
Tomcat?
Which part of my previous reply was not clear?
This is NOT a Tomcat issue. Tomcat is doing exactly what it is meant to
do - implementing the HTTP specifications.
The issue is that you have one or more broken clients that are sending
invalid HTTP requests. The correct long term way to address this issue
is to fix the broken clients.
Tomcat 7 implemented the same checks as Tomcat 8. They were introduced
as part of the fix for CVE-2016-6816 in 7.0.73, 8.0.39, 8.5.8 and
9.0.0.M13 with the option to relax the checks introduced in 7.0.87,
8.0.52 and 8.5.31, 9.0.8.
Mark
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, May 26, 2021 11:10 AM
To: users@tomcat.apache.org
Subject: [ALERT: Non-QU Sender] Re: Tomcat8.5.53: HTTP requests parsing error
On 26/05/2021 09:02, Nada Mahmoud Ahmed Aboueata wrote:
Dear all,
We are using Tomcat 8.5.53, and I have been noticing the attached
below exceptions in my logs. After looking deeply what kind of
requests that caused these exception, I noticed that some request
include Null http protocol and some special characters that cannot be handled
by Tomcat.
Also, we have noticed that these kind of requests might crash the web
server from time-time and caused OutOfMemoryError.
That is highly unlikely. When an invalid request is received, Tomcat responds
with a 400 response and closes the connection. The opportunity for an OOME is
slim to nonexistant.
I am not sure if this issue is a bug in Tomcat 8.x that it cannot
handle these requests, so could you please advise what’s recommended
to avoid these exceptions?
There error message is clear:
"Invalid character found in the request target. The valid characters are defined in
RFC 7230 and RFC 3986."
The client is sending an invaild HTTP request and Tomcat is, correctly,
rejecting it.
The recommended way to address isses such as this is to fix the broken clients
that are sending invalid HTTP requests.
Mark
02-Mar-2021 01:33:04.846 INFO
[https-jsse-nio-185.37.108.150-8443-exec-31]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
request header
Note: further occurrences of HTTP request parsing errors will be
logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found
in the HTTP protocol
at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11Inpu
tBuffer.java:567)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:
502)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh
t.java:65)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP
rotocol.java:818)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
nt.java:1623)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
ava:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
ead.java:61)
at java.lang.Thread.run(Thread.java:748)
24-May-2021 23:04:00.693 INFO
[https-jsse-nio-185.37.108.150-8443-exec-309]
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
request header
Note: further occurrences of HTTP request parsing errors will be
logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character
found in the request target. The valid characters are defined in RFC
7230 and RFC 3986
at
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11Inpu
tBuffer.java:502)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:
502)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh
t.java:65)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP
rotocol.java:818)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
nt.java:1623)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
ava:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
ead.java:61)
at java.lang.Thread.run(Thread.java:748)
Thanks!
Nada Aboueata
Nada Mahmoud Ahmed Aboueata
Application Developer
Information Technology Services Department
Tel.: +974 4403 6369
Fax: +974 4403 3401
Qatar University <http://www.qu.edu.qa>QU on Facebook
<https://www.facebook.com/qataruniversity> QU on Twitter
<https://twitter.com/qataruniversity> QU on YouTube
<http://www.youtube.com/qataruniversity> QU on LinkedIn
<http://www.linkedin.com/company/43068> QU on Instagram
<http://instagram.com/qataruniversity> QU on Google+
<https://plus.google.com/+qataruniversity/posts>
*Our Vision:* To be regionally recognized for distinctive excellence
in education and research, an institution of choice for students and
scholars and a catalyst for the sustainable socio-economic development
of Qatar.
*رؤيتنا*: أن تعرف جامعة قطر إقليمياً بتميزها النوعي في التعليم والبحث
وبكونها الخيار المفضل لطلبة العلم والباحثين ومحفزاً للتنمية الاقتصادية
والاجتماعية المستدامة لدولة قطر.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
