Martin
i did post to the dev-mailing list of Tomcat. This is not really a well
read list...
Maybe you should send one to the user-list, which is the offical
disccusion list. I will gladly assist and comment. If I do repost to
user-list after not being successful in dev-list it would have a "smell".
Please be aware that the current change in behaviour between 8.0.38 and
8.0.39 is related to a security fix:
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39
The question then is: is rejecting the character '|' in a query part for
a request target the appropriate measure to take against it?
The choices to be rejected seem to be quite random:
// Combination of multiple rules from RFC7230 and RFC 3986. Must be
// ASCII, no controls plus a few additional characters excluded
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?view=markup&pathrev=1767653
The general pupose of this parser is described as follows:
"The purpose of this parser is to let the parser worry about the edge
cases. It provides tolerant (where safe to do so) parsing of HTTP header
values assuming that wrapped header lines have already been unwrapped.
(The Tomcat header processing code does the unwrapping.)"
Best regards
Markus
You may also reach me off-list, since we are on the struts-list here:
[email protected]
Am 05.12.2016 um 14:09 schrieb Martin Gainty:
perhaps we're dealing with a powerful personality that just won 30 of the
states in the US
would suggest send a pretty please with sugar on top bug request to tomcat jira
and post to tomcat users
https://bz.apache.org/bugzilla/enter_bug.cgi
if he unilaterally rejects this obvious bug without consulting his fellow tomcat committee members we'll need
to talk to the "rebel alliance" who has forked what they label as "commercial
tomcat"..the rebels tout their fork as "hardened tomcat that works for corporations as well as the
academic community"
please pingback when you have an answer (or lack of same)
*gruss*
Martin
______________________________________________
________________________________
From: [email protected] <[email protected]>
Sent: Monday, December 5, 2016 3:33 AM
To: Struts Developers List
Subject: Re: Valid characters in http requets: Tomcat 8.38 -> 8.39
Dear Martin
I fear Tomcat will not fix the issue. Mark Thomas states:
"If a request contains and unencoded '|' in the request-target, the
correct way to deal with it is to return a 400."
While this may be true, and when ever you are able to fix the requests
made to Tomcat, you should do it. However, if you are in a situation
like me, where this is not feasible, I see two options:
1. try to post again to the user-list in Tomcat, to raise awareness of
the issue
2. patch Tomcat
While I do not like to do this, patching Tomcat is very easy:
svn checkout http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
asf - Revision 1769242:
/tomcat/tc8.0.x/trunk<http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/>
svn.apache.org
asf - Revision 1769242: /tomcat/tc8.0.x/trunk...gitignore; BUILDING.txt; KEYS;
LICENSE; MERGE.txt; NOTICE; RELEASE-NOTES; RUNNING.txt; TOMCAT-NEXT.txt; bin/
build ...
Take a look at
java/org/apache/tomcat/util/http/parser/HttpParser.java
cd {tomcat}/trunk/
ant
and you'll find the result in {tomcat}/trunk/output/build/
Markus
Dear Martin
I fear Tomcat will not fix the issue. Mark Thomas states:
"If a request contains and unencoded '|' in the request-target, the
correct way to deal with it is to return a 400."
While this may be true, and when ever you are able to fix the requests
made to Tomcat, you should do it. However, if you are in a situation
like me, where this is not feasible, I see two options:
* try to post again to the user-list in Tomcat, to raise awareness of
the issue
* patch Tomcat
While I do not like to do this, patching Tomcat is very easy:
svn checkout http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/
asf - Revision 1769242:
/tomcat/tc8.0.x/trunk<http://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk/>
svn.apache.org
asf - Revision 1769242: /tomcat/tc8.0.x/trunk...gitignore; BUILDING.txt; KEYS;
LICENSE; MERGE.txt; NOTICE; RELEASE-NOTES; RUNNING.txt; TOMCAT-NEXT.txt; bin/
build ...
Take a look at
java/org/apache/tomcat/util/http/parser/HttpParser.java
cd {tomcat}/trunk/
ant
and you'll find the result in {tomcat}/trunk/output/build/
Markus
Am 04.12.2016 um 02:30 schrieb Martin Gainty:
Markus
I have same problem and had to revert TC 8.38 ..please pingback when tomcat
fixed this problem
*gruss*
Martin
____________
________________________________
From: [email protected] <[email protected]>
Sent: Saturday, December 3, 2016 8:18 AM
To: Struts Developers List
Subject: Re: Valid characters in http requets: Tomcat 8.38 -> 8.39
Sorry! Wrong mailing list...
Markus
Am 03.12.2016 um 13:56 schrieb Lukasz Lenart:
Is it related to Apache Struts?
Cheers
Lukasz
2016-12-03 12:47 GMT+01:00 [email protected] <[email protected]>:
Between Tomcat 8.38 und 8.39 there seems to be a change in handling URL
parameters:
¶mxy=1|2
This will cause Tomcat to return a 400 error since 8.39. It is the character
"|" that causes the new behaviour. I suspect these changes:
https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360
[https://avatars3.githubusercontent.com/u/4690029?v=3&s=200]<https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360>
Add additional checks for valid characters to the HTTP request line ·
apache/tomcat@516bda6<https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360>
github.com
parsing so invalid request lines are rejected sooner. git-svn-id:
https://svn.apache.org/repos/asf/tomcat/trunk@1767641
13f79535-47bb-0310-9956-ffa450edef68
[https://avatars3.githubusercontent.com/u/4690029?v=3&s=200]<https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360>
Add additional checks for valid characters to the HTTP request line ·
apache/tomcat@516bda6<https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360>
github.com
parsing so invalid request lines are rejected sooner. git-svn-id:
https://svn.apache.org/repos/asf/tomcat/trunk@1767641
13f79535-47bb-0310-9956-ffa450edef68
First thing to know:
Is this intended?
Second:
Anyway to restore the previous behaviour of 8.38 with a config option.
Thanks for considering!
Best regards
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
