On 08/05/17 13:53, John Zanoni wrote: > Dear, > > After upgrading tomcat to version 8.5.14 the webserver returns a 400 > error when accessing any web page using a | (pipe) in one of the > request parameters. > > The | (pipe) is added when the URL is re-written using google > analytics _getLinkerUrl(), see javascript function below. > > <script> var pageTracker = _gat._getTrackerByName(); var > uri=pageTracker._getLinkerUrl(“http://shop.bakkerijhaasnoot.nl”); > alert(uri); </script> > > http://shop.bakkerijhaasnoot.nl?__utma=68893267.349269500.1493841017.1493841017.1493913856.2&__utmb=68893267.38.9.1493914656569&__utmc=68893267&__utmx=-&__utmz=68893267.1493841017.1.1.utmcsr=(direct) > | utmccn=(direct) | utmcmd=(none)&_utmv=-&_utmk=59369258 > > Previous to tomcat 8.5.14 this was never an issue. It is possible to > replace the | (pipe) for a %7C this prevents tomcat from returning a > 400 error but how can we tell tomcat not to response with a 400 when > a | (pipe) is used in the value of one of the parameters. We rolled > back to an older version (tomcat 8.5.4) to solve the issue but this > is actually a temporary solution.
The various specifications (RFC 7230, RFC 3986) do not permit the use of an un-encoded '|' character anywhere in the request target. Due to CVE-2016-6816 all versions of Tomcat are now much stricter about enforcing the specifications in this area. The right solution is fixing the broken client that is sending an invalid request. In 8.5.x, 8.0.x and 7.0.x (you'll need a recent release) there is a system property you can use to bypass this validation in a strictly limited set of cases - currently '{', '|' and '}'. However, this should be viewed as a short-term hack around the broken client code. There are no plans to make this feature available in 9.0.x. You for tomcat.util.http.parser.HttpParser.requestTargetAllow in http://tomcat.apache.org/tomcat-8.5-doc/config/systemprops.html Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org