perhaps we're dealing with a powerful personality that just won 30 of the states in the US
would suggest send a pretty please with sugar on top bug request to tomcat jira and post to tomcat users https://bz.apache.org/bugzilla/enter_bug.cgi if he unilaterally rejects this obvious bug without consulting his fellow tomcat committee members we'll need to talk to the "rebel alliance" who has forked what they label as "commercial tomcat"..the rebels tout their fork as "hardened tomcat that works for corporations as well as the academic community" please pingback when you have an answer (or lack of same) *gruss* Martin ______________________________________________ ________________________________ From: [email protected] <[email protected]> Sent: Monday, December 5, 2016 3:33 AM To: Struts Developers List Subject: Re: Valid characters in http requets: Tomcat 8.38 -> 8.39 Dear Martin I fear Tomcat will not fix the issue. Mark Thomas states: "If a request contains and unencoded '|' in the request-target, the correct way to deal with it is to return a 400." While this may be true, and when ever you are able to fix the requests made to Tomcat, you should do it. However, if you are in a situation like me, where this is not feasible, I see two options: 1. try to post again to the user-list in Tomcat, to raise awareness of the issue 2. patch Tomcat While I do not like to do this, patching Tomcat is very easy: svn checkout http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/ asf - Revision 1769242: /tomcat/tc8.0.x/trunk<http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/> svn.apache.org asf - Revision 1769242: /tomcat/tc8.0.x/trunk...gitignore; BUILDING.txt; KEYS; LICENSE; MERGE.txt; NOTICE; RELEASE-NOTES; RUNNING.txt; TOMCAT-NEXT.txt; bin/ build ... Take a look at java/org/apache/tomcat/util/http/parser/HttpParser.java cd {tomcat}/trunk/ ant and you'll find the result in {tomcat}/trunk/output/build/ Markus > Dear Martin > > I fear Tomcat will not fix the issue. Mark Thomas states: > > "If a request contains and unencoded '|' in the request-target, the > correct way to deal with it is to return a 400." > > While this may be true, and when ever you are able to fix the requests > made to Tomcat, you should do it. However, if you are in a situation > like me, where this is not feasible, I see two options: > > * try to post again to the user-list in Tomcat, to raise awareness of > the issue > * patch Tomcat > > While I do not like to do this, patching Tomcat is very easy: > > svn checkout http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/ asf - Revision 1769242: /tomcat/tc8.0.x/trunk<http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/> svn.apache.org asf - Revision 1769242: /tomcat/tc8.0.x/trunk...gitignore; BUILDING.txt; KEYS; LICENSE; MERGE.txt; NOTICE; RELEASE-NOTES; RUNNING.txt; TOMCAT-NEXT.txt; bin/ build ... > > Take a look at > > java/org/apache/tomcat/util/http/parser/HttpParser.java > > cd {tomcat}/trunk/ > ant > > and you'll find the result in {tomcat}/trunk/output/build/ > > Markus > > Am 04.12.2016 um 02:30 schrieb Martin Gainty: >> Markus >> >> I have same problem and had to revert TC 8.38 ..please pingback when tomcat >> fixed this problem >> >> >> *gruss* >> >> Martin >> ____________ >> >> >> >> ________________________________ >> From: [email protected] <[email protected]> >> Sent: Saturday, December 3, 2016 8:18 AM >> To: Struts Developers List >> Subject: Re: Valid characters in http requets: Tomcat 8.38 -> 8.39 >> >> Sorry! Wrong mailing list... >> >> Markus >> >> Am 03.12.2016 um 13:56 schrieb Lukasz Lenart: >>> Is it related to Apache Struts? >>> >>> >>> Cheers >>> Lukasz >>> >>> 2016-12-03 12:47 GMT+01:00 [email protected] <[email protected]>: >>>> Between Tomcat 8.38 und 8.39 there seems to be a change in handling URL >>>> parameters: >>>> >>>> ¶mxy=1|2 >>>> >>>> This will cause Tomcat to return a 400 error since 8.39. It is the >>>> character >>>> "|" that causes the new behaviour. I suspect these changes: >>>> >>>> https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360 [https://avatars3.githubusercontent.com/u/4690029?v=3&s=200]<https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360> Add additional checks for valid characters to the HTTP request line · apache/tomcat@516bda6<https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360> github.com parsing so invalid request lines are rejected sooner. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1767641 13f79535-47bb-0310-9956-ffa450edef68 >> [https://avatars3.githubusercontent.com/u/4690029?v=3&s=200]<https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360> >> >> Add additional checks for valid characters to the HTTP request line · >> apache/tomcat@516bda6<https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360> >> github.com >> parsing so invalid request lines are rejected sooner. git-svn-id: >> https://svn.apache.org/repos/asf/tomcat/trunk@1767641 >> 13f79535-47bb-0310-9956-ffa450edef68 >> >> >> >>>> First thing to know: >>>> >>>> Is this intended? >>>> >>>> Second: >>>> >>>> Anyway to restore the previous behaviour of 8.38 with a config option. >>>> >>>> Thanks for considering! >>>> >>>> Best regards >>>> Markus >>>> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
