Hi Mark, We are more curious to understand why the pipe character was working fine in 9.x.x series & not working in 10.x.x series? Is there any enhancement done by tomcat in 10.x.x series for blocking pipe character. Can we get any documentation, which will help us to understand the reason for why it was working earlier?
-- Thanks and Regards, Tushar Patil ________________________________ From: Mark Thomas <ma...@apache.org> Sent: Friday, August 9, 2024 2:42 PM To: users@tomcat.apache.org <users@tomcat.apache.org> Subject: Re: Upgraded Tomcat 9.0.82 to 10.1.23 getting HTTP response 400 for pipe characters in URL On 09/08/2024 09:28, Patil, Tushar wrote: > Hi Tomcat team, > Earlier in the 9.x.x series, the pipe(|) character was allowed with the AJP > connector without doing any configuration change at our end, but now in > 10.1.23, it is giving an error. > Is this bug from the Tomcat side, or do we need any configuration changes at > our end? This is an application bug at your end. '|' is not a valid character in a URL. It has to be %nn encoded if you want to use it. Mark > > > -- > Thanks and Regards, > Tushar Patil > ________________________________ > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Thursday, August 8, 2024 11:51 PM > To: users@tomcat.apache.org <users@tomcat.apache.org> > Subject: Re: Upgraded Tomcat 9.0.82 to 10.1.23 getting HTTP response 400 for > pipe characters in URL > > [You don't often get email from ch...@christopherschultz.net. Learn why this > is important at https://aka.ms/LearnAboutSenderIdentification ] > > Chuck, > > On 8/8/24 09:58, Chuck Caldarale wrote: >> >>> On Aug 8, 2024, at 08:46, Christopher Schultz >>> <ch...@christopherschultz.net> wrote: >>> >>> On 8/8/24 05:20, Patil, Tushar wrote: >>>> In older version [9.0.82]: >>>> <Connector port="8010" >>>> protocol="org.apache.coyote.ajp.AjpNioProtocol" secure="false" >>>> requiredSecret="388438" address="127.0.0.1" >>>> tomcatAuthentication="false" enableLookups="false" >>>> maxPostSize="-1" maxSavePostSize="8388608" maxParameterCount="-1" >>>> useBodyEncodingForURI="true" URIEncoding="UTF-8" >>>> backlog="100" packetSize="8192" >>>> maxThreads="320" minSpareThreads="8"/> >>>> In newer version[10.1.23]: >>>> <Connector port="8010" protocol="org.apache.coyote.ajp.AjpNioProtocol" >>>> secure="false" requiredSecret="904746" address="127.0.0.1" >>>> tomcatAuthentication="false" enableLookups="false" >>>> maxPostSize="-1" maxSavePostSize="8388608" maxParameterCount="-1" >>>> useBodyEncodingForURI="true" URIEncoding="UTF-8" >>>> acceptCount="100" packetSize="8192" >>>> maxThreads="320" minSpareThreads="8" >>>> discardFacades="false"/> >>> >>> IMPORTANT NOTE: You have posted your "requiredSecret" value and may want to >>> change that now that it is public. >>> >>> I'm not sure why you would not have needed these in the past, but you might >>> need to add relaxedPathChars="|" in your <Connector> configuration to allow >>> these pipes. >>> >>> If the pipes are also appearing in your query string, you may need to set >>> relaxedQueryChars to the same value. >> >> >> The AJP connector documentation does not show relaxedPathChars nor >> relaxedQueryChars as valid configuration items - these are only in the >> HTTP/1.1 connector. I thought that the AJP connector expected the front end >> to do URL validation. > > +1 > > I hadn't noticed the AJP in there until after I had written most of the > reply, then went back to add info about the secret and reverse proxy. Oops. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
