https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #34 from Mark Thomas ---
Ah. No need. Enable debug logging for
org.apache.coyote.http11.Http11InputBuffer and it will log the entire request
headers.
--
You are receiving this mail because:
You are the assignee for the bug.
--
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #33 from Mark Thomas ---
The point regarding log files is a valid one but if the parsing of the request
target fails, the access log will contain null rather than the request target.
Generally, we do allow potentially security sens
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #32 from Christopher Schultz ---
URLs can contain sensitive information.
Access logs are expected to contains URLs and, if sensitive information is
expected, those files can be cleansed.
It may be surprising to find a URL in a log
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #31 from Sven Schliesing ---
Is there a reason why the error message does not log the URL? It's pretty hard
to fix any calls if you do not know what exactly triggers this error.
--
You are receiving this mail because:
You are the
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #30 from Mark Thomas ---
See bug 62273 for further developments.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mai
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #29 from Jeff ---
I would like to ask for the ^ character. I'm not sure how to make a case for
this. Its kind of important for us because we have been using this to denote
financial indexes (similar to yahoo finance) and we have a l
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #28 from Lulseged Zerfu ---
Hi
Let us know if tomcat will add the '"' as '{', '}' and '|' are added to let us
continue using latest tomcat releases.
Please let us know what you think.
BR
Lulseged
--
You are receiving this mai
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #27 from Lulseged Zerfu ---
Hi
Any comment if you will add '"' to allow in our request URL? Ta the end of the
day we are taking the risk.
BR
Lulseged
--
You are receiving this mail because:
You are the assignee for the bug.
---
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #26 from Lulseged Zerfu ---
Hi
We don't see anyway out when millions of terminals are not working and that
tomcat restricted '"' from being a part of request URL.
Terminals will not comply overnight but are starting to comply sl
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #25 from Mark Thomas ---
I'm neutral on adding '<' and '>' as allowed options.
I think '"' is in the same category. i.e. there is the risk that unexpected
reverse proxy behaviour will trigger a CVE-2016-6816 like issue, no parsing
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #24 from Lulseged Zerfu ---
Hi
A reverse proxy is not an option and I would like to make a case where we
allow double quotes in request URLs as '{', '}' and '|' are allowed today by
configuring:
tomcat.util.http.parser.HttpParser
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #23 from Coty Sutherland ---
(In reply to Mark Thomas from comment #22)
> You mean '<' and '>' ?
Yes.
> There is always the risk that unexpected reverse proxy behaviour will
> trigger a CVE-2016-6816 like issue but that risks exis
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #22 from Mark Thomas ---
You mean '<' and '>' ?
There is always the risk that unexpected reverse proxy behaviour will trigger a
CVE-2016-6816 like issue but that risks exists for any white-listed character
that should really be enc
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #21 from Coty Sutherland ---
Can anyone see any adverse affects to adding angle brackets to the whitelist? I
have a customer that is using unencoded angle brackets around their session IDs
in the URL which they can't change at this
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #20 from Mark Thomas ---
(In reply to Lulseged Zerfu from comment #19)
> Hi
>
> We have found that we have problems with some characters that are not
> allowed in request URI and would like to know if any filter or valve can be
>
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #19 from Lulseged Zerfu ---
Hi
We have found that we have problems with some characters that are not allowed
in request URI and would like to know if any filter or valve can be applied to
encode until clients get updated instead o
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
Coty Sutherland changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #17 from Coty Sutherland ---
OK, cool. So unless someone else objects to the patch as-is, I'll commit it to
7.0.x - 8.5.x shortly.
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #16 from Remy Maucherat ---
-1 as well for any additional characters. People who are that desperate to run
into trouble can patch Tomcat easily.
--
You are receiving this mail because:
You are the assignee for the bug.
---
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #15 from eolivelli ---
OK Mark at this moment I'm running a patch in production to make all the
characters allowed.
I have evidence only on troubles for curly braches and pipe characters so the
patch looks good for me.
I will wait
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #14 from Mark Thomas ---
You need to make a case for each of those to added to the potentially allowed
list. Without any such justification, I am -1 on expanding it beyond the
current three allowed characters.
--
You are receiving
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #13 from eolivelli ---
Coty, the patch looks good to me, can you please add the following chars to the
list of allowed characters ?
'\"' (double quote)
'#' (sharp)
'<' (left angle bracket)
'>' (right angle bracket)
'\\' (backslash)
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
Coty Sutherland changed:
What|Removed |Added
Attachment #34684|0 |1
is obsolete|
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #11 from eolivelli ---
Please fix it in Tomcat 8.5.X too
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-u
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #10 from Mark Thomas ---
Thanks for the updated patch. I like the overall design. Some detail comments:
- I think a different name is required. We might want to override other
restrictions in the future. Maybe requestTargetAllow
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #9 from Coty Sutherland ---
Created attachment 34694
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34694&action=edit
whitelist proposal limiting characters with docs
OK, here's an updated whitelist patch restricting the ch
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #8 from Mark Thomas ---
I think I prefer the whitelist option but I'd like to see it limited to - at
this point - '{', '}' and '|'. Other characters can be considered on a case by
case basis.
Documentation should go in the system p
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #7 from Coty Sutherland ---
Created attachment 34687
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34687&action=edit
whitelist patch proposal
For reference, and so I don't accidentally delete it :)
--
You are receiving t
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #6 from eolivelli ---
Hi, for my use cases I would like to have just a whitelist and let Tomcat
handle all the RFC blacklisted chars automatically. In my case I had to
whitelist curly braces and pipe.
--
You are receiving this mai
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #5 from Coty Sutherland ---
(In reply to Mark Thomas from comment #4)
> I generally dislike configuration via system property. That said, making
> this per Connector will be significantly more invasive.
I agree on both points. The
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #4 from Mark Thomas ---
Allowing some of those (e.g. space) is extremely dangerous and should not be
allowed under any circumstances.
I generally dislike configuration via system property. That said, making this
per Connector will
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
--- Comment #3 from Coty Sutherland ---
Created attachment 34684
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34684&action=edit
patch proposal
In response to the numerous complaints on the users list I decided to give this
a shot. I
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
Remy Maucherat changed:
What|Removed |Added
CC||eolive...@gmail.com
--- Comment #2 fr
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594
Mark Thomas changed:
What|Removed |Added
Severity|regression |enhancement
--- Comment #1 from Mark Tho
34 matches
Mail list logo
