[Bug 60594] New: RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60594

            Bug ID: 60594
           Summary: RFC 7230/3986 url requirement that prevents unencoded
                    curly braces should be optional, since it breaks
                    existing sites
           Product: Tomcat 7
           Version: 7.0.73
          Hardware: All
                OS: All
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: gros...@versifit.com
  Target Milestone: ---

Using the protocol="HTTP/1.1" connector (Coyote)

After upgrading a site to Tomcat 7.0.73 from 7.0.72 or from anything earlier, a
url with an unencoded { or } (ie. http://my.com?filter={"search":"isvalid"} ),
now returns a 400 error code and logs the following error message:

"INFO: Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986"

Resolution:
Since this is a breaking change (aka regression failure), there should be an
option to override and turn this off (still reporting the first occurrence as
shown above), so that any existing site which experiences this can choose to
ignore this failure and continue as before, so they can deal with changing
their application at a later date, if they deem the security risk is
appropriate.

Defaulting the option to true (to enable the check) is perfectly fine, as long
as there is an option in a server and/or application config file to disable it,
and proper documentation on it.

Either this, or you clearly state in the release notes of 7.0.73, exactly what
will break, and recommend that users do not perform the Tomcat update, if they
are not ready to change their applications to comply, but I think this would
open up an even bigger can of worms.

Instead of just saying:
"Add additional checks for valid characters to the HTTP request line parsing so
invalid request lines are rejected sooner. (markt)" - this tells us nothing
about the impending doom we may face.

But, I would recommend just giving us the option to decide for ourselves.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org