Re: Valid characters in http requests: Tomcat 8.38 -> 8.39

Sat, 03 Dec 2016 11:52:06 -0800 

On 03/12/2016 19:46, [email protected] wrote:
> Am 03.12.2016 um 20:29 schrieb Mark Thomas:
>> On 03/12/2016 13:28, [email protected] wrote:
>>> Between Tomcat 8.38 und 8.39 there seems to be a change in handling URL
>>> parameters:
>>>
>>> &paramxy=1|2
>>>
>>> This will cause Tomcat to return a 400 error since 8.39. It is the
>>> character "|" that causes the new behaviour. I suspect these changes:
>>>
>>> https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360
>>>
>>>
>>>
>>> First thing to know:
>>>
>>> Is this intended?
>> Yes.
>>
>>> Second:
>>>
>>> Anyway to restore the previous behaviour of 8.38 with a config option.
>> No, since the changes were in response to a security issue.
>>
>> '|' is not a valid character in any part of an HTTP/1.1 request-target.
>> You need to fix whatever broken client is sending '|' without %
>> encoding it.
>>
>> Mark
> 
> Unfortunately (for me) this will not be possible: This is a kind of a
> proxy/rewriter situation where I cannot control the input being sent. I
> need to be able to deal with any kind of request you will see out there
> in the wild.

If a request contains and unencoded '|' in the request-target, the
correct way to deal with it is to return a 400.

Mark


> 
> I assume it is this part, responsible for the new behaviour?
> 
>             // Not valid for request target.
>             // Combination of multiple rules from RFC7230 and RFC 3986.
> Must be
>             // ASCII, no controls plus a few additional characters excluded
>             if (IS_CONTROL[i] || i > 127 ||
>                     i == ' ' || i == '\"' || i == '#' || i == '<' || i
> == '>' || i == '\\' ||
>                     i == '^' || i == '`'  || i == '{' || i == '|' || i
> == '}') {
>                 IS_NOT_REQUEST_TARGET[i] = true;
>             }
> 
> Do you see any better way to influence this, instead of patching and
> rebuilding from scratch?
> 
> Thanks!
> Markus
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to