[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2018-08-01 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #34 from Mark Thomas --- Ah. No need. Enable debug logging for org.apache.coyote.http11.Http11InputBuffer and it will log the entire request headers. -- You are receiving this mail because: You are the assignee for the bug.

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2018-08-01 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #33 from Mark Thomas --- The point regarding log files is a valid one but if the parsing of the request target fails, the access log will contain null rather than the request target. Generally, we do allow potentially security

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2018-07-31 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #32 from Christopher Schultz --- URLs can contain sensitive information. Access logs are expected to contains URLs and, if sensitive information is expected, those files can be cleansed. It may be surprising to find a URL in a

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2018-07-31 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #31 from Sven Schliesing --- Is there a reason why the error message does not log the URL? It's pretty hard to fix any calls if you do not know what exactly triggers this error. -- You are receiving this mail because: You are the

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2018-05-29 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #30 from Mark Thomas --- See bug 62273 for further developments. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe,

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-09-25 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #29 from Jeff --- I would like to ask for the ^ character. I'm not sure how to make a case for this. Its kind of important for us because we have been using this to denote financial indexes (similar to yahoo

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-06-21 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #28 from Lulseged Zerfu --- Hi Let us know if tomcat will add the '"' as '{', '}' and '|' are added to let us continue using latest tomcat releases. Please let us know what you think. BR Lulseged --

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-06-12 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #27 from Lulseged Zerfu --- Hi Any comment if you will add '"' to allow in our request URL? Ta the end of the day we are taking the risk. BR Lulseged -- You are receiving this mail because: You are the

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-06-08 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #26 from Lulseged Zerfu --- Hi We don't see anyway out when millions of terminals are not working and that tomcat restricted '"' from being a part of request URL. Terminals will not comply overnight but

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-06-08 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #25 from Mark Thomas --- I'm neutral on adding '<' and '>' as allowed options. I think '"' is in the same category. i.e. there is the risk that unexpected reverse proxy behaviour will trigger a CVE-2016-6816 like

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-06-08 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #24 from Lulseged Zerfu --- Hi A reverse proxy is not an option and I would like to make a case where we allow double quotes in request URLs as '{', '}' and '|' are allowed today by configuring:

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-05-25 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #23 from Coty Sutherland --- (In reply to Mark Thomas from comment #22) > You mean '<' and '>' ? Yes. > There is always the risk that unexpected reverse proxy behaviour will > trigger a CVE-2016-6816 like

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-05-25 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #22 from Mark Thomas --- You mean '<' and '>' ? There is always the risk that unexpected reverse proxy behaviour will trigger a CVE-2016-6816 like issue but that risks exists for any white-listed character that

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-05-25 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #21 from Coty Sutherland --- Can anyone see any adverse affects to adding angle brackets to the whitelist? I have a customer that is using unencoded angle brackets around their session IDs in the URL which they

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-05-18 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #20 from Mark Thomas --- (In reply to Lulseged Zerfu from comment #19) > Hi > > We have found that we have problems with some characters that are not > allowed in request URI and would like to know if any filter

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-05-18 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #19 from Lulseged Zerfu --- Hi We have found that we have problems with some characters that are not allowed in request URI and would like to know if any filter or valve can be applied to encode until

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-02-07 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 Coty Sutherland changed: What|Removed |Added Resolution|--- |FIXED

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-02-06 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #17 from Coty Sutherland --- OK, cool. So unless someone else objects to the patch as-is, I'll commit it to 7.0.x - 8.5.x shortly. -- You are receiving this mail because: You are the assignee for the bug.

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-02-06 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #16 from Remy Maucherat --- -1 as well for any additional characters. People who are that desperate to run into trouble can patch Tomcat easily. -- You are receiving this mail because: You are the assignee for

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-02-06 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #15 from eolivelli --- OK Mark at this moment I'm running a patch in production to make all the characters allowed. I have evidence only on troubles for curly braches and pipe characters so the patch looks

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-02-06 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #14 from Mark Thomas --- You need to make a case for each of those to added to the potentially allowed list. Without any such justification, I am -1 on expanding it beyond the current three allowed characters. --

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-02-06 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #13 from eolivelli --- Coty, the patch looks good to me, can you please add the following chars to the list of allowed characters ? '\"' (double quote) '#' (sharp) '<' (left angle bracket) '>' (right angle

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-31 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 Coty Sutherland changed: What|Removed |Added Attachment #34684|0 |1 is

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-31 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #11 from eolivelli --- Please fix it in Tomcat 8.5.X too -- You are receiving this mail because: You are the assignee for the bug. - To

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-31 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #10 from Mark Thomas --- Thanks for the updated patch. I like the overall design. Some detail comments: - I think a different name is required. We might want to override other restrictions in the future. Maybe

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-30 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #9 from Coty Sutherland --- Created attachment 34694 --> https://bz.apache.org/bugzilla/attachment.cgi?id=34694=edit whitelist proposal limiting characters with docs OK, here's an updated whitelist patch

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-27 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #8 from Mark Thomas --- I think I prefer the whitelist option but I'd like to see it limited to - at this point - '{', '}' and '|'. Other characters can be considered on a case by case basis. Documentation should

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-27 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #7 from Coty Sutherland --- Created attachment 34687 --> https://bz.apache.org/bugzilla/attachment.cgi?id=34687=edit whitelist patch proposal For reference, and so I don't accidentally delete it :) -- You

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-27 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #6 from eolivelli --- Hi, for my use cases I would like to have just a whitelist and let Tomcat handle all the RFC blacklisted chars automatically. In my case I had to whitelist curly braces and pipe. -- You

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-27 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #5 from Coty Sutherland --- (In reply to Mark Thomas from comment #4) > I generally dislike configuration via system property. That said, making > this per Connector will be significantly more invasive. I

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-27 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #4 from Mark Thomas --- Allowing some of those (e.g. space) is extremely dangerous and should not be allowed under any circumstances. I generally dislike configuration via system property. That said, making this

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-27 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 --- Comment #3 from Coty Sutherland --- Created attachment 34684 --> https://bz.apache.org/bugzilla/attachment.cgi?id=34684=edit patch proposal In response to the numerous complaints on the users list I decided to give

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-20 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 Remy Maucherat changed: What|Removed |Added CC||eolive...@gmail.com

[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

2017-01-17 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 Mark Thomas changed: What|Removed |Added Severity|regression |enhancement ---