https://bz.apache.org/bugzilla/show_bug.cgi?id=69325
Bug ID: 69325
Summary: Tomcat not allowing CRLF characters in Request headers
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: manjosh.1...@yahoo.com
Target Milestone: -----
I have a springboot application for the restFul webservice. The tomcat was
upgraded to 8.5.99. Since then I get the error when I pass the cookie from a
file in UNIX. The same API call works just fine with old tomcat.
< HTTP/1.1 400
HTTP/1.1 400
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< Content-Language: en
Content-Language: en
< Content-Length: 3004
Content-Length: 3004
< Date: Tue, 10 Sep 2024 09:29:38 GMT
Date: Tue, 10 Sep 2024 09:29:38 GMT
< Connection: close
Connection: close
<
<!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad
Request</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;}
.line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Exception
Report</p><p><b>Message</b> The HTTP header line
[cookie:userData=%7B%22access_token%22%3A%227d35cdeb-50b2-4fd4-b522-9f985c72de9b%22%2C%22role%22%3A%5B1%2C10%2C16%2C22%5D%2C%22authType%22%3A%22LOCAL%22%2C%22user%22%3A%22admin%22%2C%22password_regex%22%3A%22%28%28%3F%3D.*%5BA-Z%5D%29%28%3F%3D.*%5Ba-z%5D%29%28%3F%3D.*%5C%5Cd%29%28%3F%3D.*%5B__special%5D%29.%7B8%2C%7D%29%22%2C%22special_chars%22%3A%22%21%5C%22%23%24%25%26%27%28%29*%2B%2C-.%2F%3A%3B%3C%3D%3E%3F%40%5B%5D%5E_%60+%7B%5C%5C%7C%7D%7E%22%7DD]
does not conform to RFC 7230. The request has been
rejected.</p><p><b>Description</b> The server cannot or will not process the
request due to something that is perceived to be a client error (e.g.,
malformed request syntax, invalid request message framing, or deceptive request
routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException:
The HTTP header line
[cookie:userData=%7B%22access_token%22%3A%227d35cdeb-50b2-4fd4-b522-9f985c72de9b%22%2C%22role%22%3A%5B1%2C10%2C16%2C22%5D%2C%22authType%22%3A%22LOCAL%22%2C%22user%22%3A%22admin%22%2C%22password_regex%22%3A%22%28%28%3F%3D.*%5BA-Z%5D%29%28%3F%3D.*%5Ba-z%5D%29%28%3F%3D.*%5C%5Cd%29%28%3F%3D.*%5B__special%5D%29.%7B8%2C%7D%29%22%2C%22special_chars%22%3A%22%21%5C%22%23%24%25%26%27%28%29*%2B%2C-.%2F%3A%3B%3C%3D%3E%3F%40%5B%5D%5E_%60+%7B%5C%5C%7C%7D%7E%22%7DD]
does not conform to RFC 7230. The request has been rejected.
org.apache.coyote.http11.Http11InputBuffer.skipLine(Http11InputBuffer.java:1080)
org.apache.coyote.http11.Http11InputBuffer.parseHeader(Http11InputBuffer.java:980)
org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:606)
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:514)
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:934)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1698)
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
java.lang.Thread.run(Thread.java:748)
* Closing connection 0
I see that there is ^M$ at the end of each line in the cookie file and tomcat
rejects its.
If I remove '^M' and try it works. That means it is allowing '$'.
Its the same behavior in tomcat 9. Please advise.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
