Re: Invalid character found in the request target

Tue, 04 Jun 2024 06:38:35 -0700 

Chuck,

On 6/4/24 09:10, Chuck Caldarale wrote:



On Jun 4, 2024, at 06:07, Christopher Schultz <ch...@christopherschultz.net> 
wrote:



<snip/>



04-Jun-2024 09:49:11.448 INFO [http-nio-8080-exec-6] 
org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request 
header
  Note: further occurrences of HTTP request parsing errors will be logged at 
DEBUG level.
         java.lang.IllegalArgumentException: Invalid character found in the 
request target [/sra_{xxxxxxx0-DDDD-3333-yyyyyyyyyyyyyy}/ ]. The valid 
characters are defined in RFC 7230 and RFC 3986


The problem is the { and } characters.

My reading of RFC 7230 is that { and } /should/ be allowed, but Tomcat's code 
rejects them by default.



I think it depends on which part of RFC 3986 one looks at. Appendix A should 
have the precise URI syntax, where the reserved and unreserved sets are defined 
as follows:

    unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
    reserved      = gen-delims / sub-delims
    gen-delims    = ":" / "/" / "?" / "#" / "[" / "]" / "@"
    sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="

Some ASCII characters, notably braces, are simply left out of either set here. 
However, section 2.3 declares:

    Characters that are allowed in a URI but do not have a reserved
    purpose are called unreserved.  These include uppercase and lowercase
    letters, decimal digits, hyphen, period, underscore, and tilde.

The use of “include” would seem to imply “not limited to”, but that’s not 
explicitly stated here.

Nothing like a little ambiguity to keep things interesting…



Yup. RFC 3986 does not include the { character anywhere in the text. RFC 
7230 mentions it as a character not allowed in "field values" which I 
think only applies to headers.... unless you consider the "request line" 
to be "header 0" or somesuch.



At any rate, characters such as { and } could be considered "dangerous" 
and so, while I would argue the RFC doesn't prohibit them, Tomcat's 
refusal to accept them under a default configuration is a reasonable 
one... especially because you can simply re-enable them if your 
application needs them.


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to