Chris,
Peter Kreuser > Am 13.10.2017 um 04:29 schrieb Christopher Schultz > <w...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > James, > >> On 10/12/17 8:44 PM, James H. H. Lampert wrote: >> Question: >> >> The application we're developing has a suite of web services >> (RESTful, Swagger-based), and at least one of them can accept a >> pound sign ("#") as a URL parameter. >> >> Several months ago, with the application and all of its services >> running on Tomcat 7, it was accepting a plain, naked # in the URL. >> Now, running on Tomcat 8.5, it's returning an error message >> ("HTTP/1.1 400"). > > No client should ever send a naked # to a server. It's a violation of > the spec, full stop. That isn't to say that Tomcat should fail in any > particular way, but Tomcat is well within its rights to say "a # is > not allowed in a URL, so this is a bad request". > Nevertheless there is AFAIR a commandline switch to set TC 8.5 to the old behavior. James, please browse the mail archives. From a quick look this seems to help, for a short term solution: https://marc.info/?l=tomcat-user&m=150183715500537&w=2 Please nevertheless fix the client, for a better world as Chris pointed out ;-P. Best regards Peter >> The developer (in a different time zone) has explained about >> URL-encoding, but hasn't said whether there was anything in his >> code to make it stop tolerating the naked # sign. >> >> Did the change from Tomcat 7 to Tomcat 8.5 have anything to do >> with this? > > Each version of Tomcat gets more and more strict about the garbage it > will accept from clients. This is done to improve the world as a > whole, and also improve security when it comes to things like > converting URL paths into filesystem paths, etc. Strictly speaking, > everything should *always* be safe, but it helps to stop The Badness > at the earliest opportunity. > >> And if so, are there any other common ASCII characters that used >> to be accepted as characters, but now have to be URL-encoded? > Anything in the URL spec that is allowed should be allowed. Clients > should expect that anything not mentioned in the spec would be > rejected by a compliant server. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngJRsACgkQHPApP6U8 > pFhqMg//cP4U9z0v8AzkdGRfWJilIAVdsgbA8fdfqTM0f542GzHo4tWidx6F89zK > y2oVxz9Fr4RQev2Dgr5DyPrJnv2JYufe2S3AxBltA1jQQCu6GnqEjgzxlvmrGY05 > hhrBYBBOgBudgLXcK4bHuoIk+W5ke1Hc1n94WqyVDq2EJZUibKLJLGo3nsAItBcS > a7jFitbzAQT/0fX/Nzo/LFanNNLenOkoKxZA0KyqzDYiwOGcsLLukOIV1AOiWgEU > cy4dFhYkixoi8lfs5SjivNknp5tDJSq6Rf3UYChkXUcwQUTVA45AecRWvaEihwjr > fFN91h9AVKXoVBVNjPYLKS7K7ODahR6oLNqta/2aji4QgCBnyfrPvopIG7e6fbM8 > BYo+MfpbrVi8b7ZL69d2Cl8+/6MmcUbWfuPzZsBm9Mg7tdza13NQ0vin3uyv0y6N > 73ytO57G1CVfFK3T8v6giEMt6URpBzviF1PK0gTpBImZO13eXYVO5D8E0cXp0Q2d > cTSC120wgwIhN4tBlrf2asjdut+0K7cpYpuAQVHFCacedhdTxDPR+OoWo4zRoYuI > 3D776j6OoyxGCmU2GNR9kNK8q3fuVouplCapdRKPPqlbskCzmfb70SjevVGX3sAT > /OwMwonndlCQoFOob4zg03a2rnKMritVcflffeYmih0Xm+UU7QY= > =SwD9 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >