Re: tomcat 8.5.14, gives 400 error when using a | in the request parameters

Mon, 08 May 2017 06:33:47 -0700 

On 08/05/17 13:53, John Zanoni wrote:
> Dear,
> 
> After upgrading tomcat to version 8.5.14 the webserver returns a 400
> error when accessing any web page using a | (pipe) in one of the
> request parameters.
> 
> The | (pipe) is added when the URL is re-written using google
> analytics _getLinkerUrl(), see javascript function below.
> 
> <script> var pageTracker = _gat._getTrackerByName(); var
> uri=pageTracker._getLinkerUrl(“http://shop.bakkerijhaasnoot.nl”); 
> alert(uri); </script>
> 
> http://shop.bakkerijhaasnoot.nl?__utma=68893267.349269500.1493841017.1493841017.1493913856.2&__utmb=68893267.38.9.1493914656569&__utmc=68893267&__utmx=-&__utmz=68893267.1493841017.1.1.utmcsr=(direct)
> | utmccn=(direct) | utmcmd=(none)&_utmv=-&_utmk=59369258
> 
> Previous to tomcat 8.5.14 this was never an issue. It is possible to
> replace the | (pipe) for a %7C this prevents tomcat from returning a
> 400 error but how can we tell tomcat not to response with a 400 when
> a | (pipe) is used in the value of one of the parameters. We rolled
> back to an older version (tomcat 8.5.4) to solve the issue but this
> is actually a temporary solution.

The various specifications (RFC 7230, RFC 3986) do not permit the use of
an un-encoded '|' character anywhere in the request target.

Due to CVE-2016-6816 all versions of Tomcat are now much stricter about
enforcing the specifications in this area.

The right solution is fixing the broken client that is sending an
invalid request.

In 8.5.x, 8.0.x and 7.0.x (you'll need a recent release) there is a
system property you can use to bypass this validation in a strictly
limited set of cases - currently '{', '|' and '}'. However, this should
be viewed as a short-term hack around the broken client code. There are
no plans to make this feature available in 9.0.x.

You for tomcat.util.http.parser.HttpParser.requestTargetAllow in
http://tomcat.apache.org/tomcat-8.5-doc/config/systemprops.html

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to