On 30/10/18 09:53, Jasper Timm wrote: > Hi all, > > I'm facing an issue handling square brackets which seems to have been > introduced sometime between 7.0.87 and 7.0.90. > > I'm running from the docker hub image of tomcat, previously 'tomcat:7-jre8' > but after that was updated to 7.0.90 I've pinned it back to > 'tomcat:7.0.86-jre8' where I no longer seem to face the issue. > > I'm running a .war file of some open source software called DHIS2 (v2.27). > When running 7.0.90, if I send requests of the following form: > > http://<host>/api/organisationUnits?fields=parent[id] > > I get the following error in the logs: > > Oct 29, 2018 5:04:01 PM org.apache.coyote.http11.AbstractHttp11Processor > process > INFO: Error parsing HTTP request header > Note: further occurrences of HTTP header parsing errors will be logged at > DEBUG level. > java.lang.IllegalArgumentException: Invalid character found in the request > target. The valid characters are defined in RFC 7230 and RFC 3986 > at > org.apache.coyote.http11.InternalAprInputBuffer.parseRequestLine(InternalAprInputBuffer.java:240) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1049) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) > at > org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2492) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > If I URL encode the square brackets the request seems to be fine.
As expected. As per RFC 7230 and RFC 3986 both '[' and ']' must be encoded if used in the path or query string in a URI. Request line parsing (including URI validation) was made more spec compliant as a result of CVE-2016-6816 to reduce the risk of similar vulnerabilities. You can relax the validation with relaxedPathChars and/or relaxedQueryChars on the Connector but fixing whatever is generating the invalid URIs is going to be a better long term solution. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
