Author: markt
Date: Thu Apr 26 13:15:21 2018
New Revision: 1830215
URL: http://svn.apache.org/viewvc?rev=1830215&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62273
Implement configuration options to work-around specification non-compliant user
agents (including all the major browsers) that do not correctly %nn encode URI
paths and query strings as required by RFC 7230 and RFC 3986.
Modified:
tomcat/tc8.5.x/trunk/ (props changed)
tomcat/tc8.5.x/trunk/conf/catalina.properties
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml
tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml
Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Apr 26 13:15:21 2018
@@ -1,2 +1,2 @@
/tomcat/tc8.0.x/trunk:1809644
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739492,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409
,1741501,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744149,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745535,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747
404,1747506,1747536,1747924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750774,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753078,1753080,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208,1755214,1755224,1755227,1755230,1755629,1755646-1755647,1755650,1755653,1755675,1755680,1755683,1755693,1755717,1755731-1755737,1755812,1755828,1755884,1755890,1755918-1755919,1755942,1755958,1755960,1755970,1755993,1756013,1756019,1756039,1756056,1756083-1756114,1756175,1756288-1
756289,1756408-1756410,1756778,1756798,1756878,1756898,1756939,1757123-1757124,1757126,1757128,1757132-1757133,1757136,1757145,1757167-1757168,1757175,1757180,1757182,1757195,1757271,1757278,1757347,1757353-1757354,1757363,1757374,1757399,1757406,1757408,1757485,1757495,1757499,1757527,1757578,1757684,1757722,1757727,1757790,1757799,1757813,1757853,1757883,1757903,1757976,1757997,1758000,1758058,1758072-1758075,1758078-1758079,1758223,1758257,1758261,1758276,1758292,1758369,1758378-1758383,1758421,1758423,1758425-1758427,1758430,1758443,1758448,1758459,1758483,1758486-1758487,1758499,1758525,1758556,1758580,1758582,1758584,1758588,1758842,1759019,1759212,1759224,1759227,1759252,1759274,1759513-1759516,1759611,1759757,1759785-1759790,1760005,1760022,1760109-1760110,1760135,1760200-1760201,1760227,1760300,1760397,1760446,1760454,1760640,1760648,1761057,1761422,1761491,1761498,1761500-1761501,1761550,1761553,1761572,1761574,1761625-1761626,1761628,1761682,1761740,1761752,1762051-176205
3,1762123,1762168,1762172,1762182,1762201-1762202,1762204,1762208,1762288,1762296,1762324,1762348,1762353,1762362,1762374,1762492,1762503,1762505,1762541,1762608,1762710,1762753,1762766,1762769,1762944,1762947,1762953,1763167,1763179,1763232,1763259,1763271-1763272,1763276-1763277,1763319-1763320,1763370,1763372,1763375,1763377,1763393,1763412,1763430,1763450,1763462,1763505,1763511-1763512,1763516,1763518,1763520,1763529,1763559,1763565,1763568,1763574,1763619,1763634-1763635,1763718,1763748,1763786,1763798-1763799,1763810,1763813,1763815,1763819,1763831,1764083,1764425,1764646,1764648-1764649,1764659,1764663,1764682,1764862,1764866-1764867,1764870,1764897,1765133,1765299,1765358,1765439,1765447,1765495,1765502,1765569-1765571,1765579,1765582,1765589-1765590,1765794,1765801,1765813,1765815,1766276,1766514,1766533,1766535,1766664,1766675,1766698,1766700,1766822,1766834,1766840,1767047,1767328,1767362,1767368,1767429,1767471,1767505,1767641-1767644,1767903,1767945-1767946,1768123,176
8283,1768520,1768569,1768651,1768762,1768922,1769191,1769263,1769630,1769833,1769975,1770047,1770140,1770180,1770258,1770389,1770656,1770666,1770718,1770762,1770952,1770954,1770956,1770961,1771087,1771126,1771139,1771143,1771149,1771156,1771266,1771316,1771386,1771611,1771613,1771711,1771718,1771723-1771724,1771730,1771743,1771752,1771853,1771963,1772170,1772174,1772223,1772229,1772318-1772319,1772353,1772355,1772554,1772603-1772609,1772849,1772865,1772870,1772872,1772875-1772876,1772881,1772886,1772947,1773306,1773344,1773418,1773756,1773813-1773814,1774052,1774102,1774131,1774161,1774164,1774248,1774253,1774257,1774259,1774262,1774267,1774271,1774303,1774340,1774406,1774412,1774426,1774433,1774522-1774523,1774526,1774528-1774529,1774531,1774732-1774736,1774738-1774739,1774741-1774742,1774749,1774755,1774789,1774858,1774867,1775596,1775985-1775986,1776540,1776937,1776954,1777011,1777173,1777189,1777211,1777524,1777546,1777605,1777619,1777647,1777721-1777722,1777967,1778061,1778138-
1778139,1778141-1778150,1778154,1778275-1778276,1778295,1778342,1778348,1778404,1778424,1778426,1778575,1778582,1778600,1778603,1779312,1779370,1779545,1779612,1779622,1779641,1779654,1779708,1779718,1779897,1779899,1779932,1780109,1780120,1780189,1780196,1780488,1780514-1780516,1780601,1780606,1780609-1780610,1780652,1780991,1780995-1780996,1781174,1781569,1781975,1781986,1782116,1782383-1782384,1782566,1782572,1782775,1782779,1782814,1782857,1782868,1782934,1782946-1782947,1782956,1783144-1783147,1783155,1783408,1784182,1784565,1784583,1784657,1784669,1784712,1784723,1784751,1784767,1784806,1784818,1784911,1784926,1784956,1784963,1785032,1785037,1785245,1785271,1785310,1785317,1785643,1785667,1785762,1785774,1785823,1785935,1786051,1786070,1786123-1786124,1786127,1786129,1786341,1786378,1786844,1787200,1787250,1787405,1787662,1787701,1787703,1787938,1787959,1787973,1788223-1788224,1788228,1788232,1788241-1788242,1788248,1788323,1788328,1788455,1788460,1788473,1788543-1788544,17885
48,1788550,1788554,1788558,1788560,1788567,1788569,1788572,1788647,1788732,1788741,1788747,1788753,1788764,1788771,1788834,1788841,1788852,1788860,1788883,1788890,1789051,1789400,1789415,1789442-1789443,1789447,1789453,1789456,1789458,1789461-1789463,1789465-1789467,1789470,1789472,1789474,1789476,1789479-1789480,1789685,1789733,1789735,1789744-1789745,1789937,1789984,1790119,1790180,1790183,1790213,1790376,1790443,1790614,1790983,1790991,1791027-1791028,1791050,1791090,1791095-1791096,1791099,1791101-1791103,1791124,1791129,1791134,1791137,1791298,1791527,1791557,1791970,1792033,1792038,1792055,1792093,1792140,1792460,1792468,1792791,1792957,1793095,1793121,1793123,1793127,1793136,1793139,1793147-1793148,1793266,1793437,1793449,1793460,1793468,1793487,1793498,1793502,1793514,1793682-1793683,1793711-1793712,1793716,1793719,1793736,1793746,1793758,1793771,1793776,1793798,1793802,1793812,1793819,1793844,1793854,1793887,1793891,1793898,1793901-1793902,1793907,1793910,1793980,1794556,17
94674,1794941-1794942,1795278,1795289,1795298,1795305,1795813,1795893,1796090,1796275,1796693-1796695,1796729,1796806,1796836,1796873,1796878,1797197,1797338,1797344,1797354-1797355,1797516,1797528,1797532,1797536,1797540,1797543,1797677-1797678,1797692,1797694,1797748,1797828,1798126,1798238,1798280,1798371,1798379,1798384,1798390,1798395,1798419,1798505,1798507,1798509,1798533,1798546,1798561,1798977,1799115,1799126,1799164,1799190,1799194,1799216,1799231,1799250,1799253,1799285,1799368,1799412,1799498,1799514-1799515,1799677,1799701-1799702,1799704,1799709,1799885,1799893,1799895,1799916,1800136-1800138,1800202,1800309,1800390,1800617,1800629,1800791,1800816,1800850,1800864,1800867,1800874,1800885,1800980-1800981,1800984,1800988,1800992,1801195,1801686,1801688,1801709,1801717,1801774,1801778,1802083,1802195,1802204-1802205,1802210,1802225-1802226,1802229,1802403,1802475,1802490,1802788,1802796,1802803,1802820,1802828,1802833,1802836,1803030,1803038,1803055,1803135,1803165,1803174
,1803193,1803205,1803224,1803278,1803281,1803295,1803297,1803446,1803451,1803456,1803459,1803616,1803636,1803828,1803901,1803972,1804040,1804094,1804306,1804461-1804463,1804501,1804506-1804507,1804754,1804813,1804888,1804890,1804903-1804908,1804915,1804917,1805523-1805530,1805550,1805612-1805613,1805637,1805645,1805652,1805726,1805752,1805782,1805826,1806307,1806356,1806445,1806736,1806794,1806798,1806801,1806807,1806873,1806966,1806973,1807004,1807093,1807135,1807205-1807206,1807237,1807242,1807251,1807282,1807455,1807686,1807698,1807713,1807715,1807729,1807742,1807747,1807751,1807755,1808116,1808156,1808266,1808433,1808438-1808439,1808466,1808481-1808482,1808695,1808701,1808766,1809011,1809025,1809141,1809143-1809144,1809146,1809158,1809212,1809214,1809239,1809248,1809263,1809265,1809317,1809434,1809669,1809671,1809674,1809684,1809711,1809828,1809830,1809908-1809909,1809922,1810106,1810110,1810280,1810300,1811031,1811119,1811122,1811132,1811137,1811139,1811174,1811176,1811198-1811
201,1811203-1811206,1811220,1811235,1811246,1811327-1811329,1811350,1811560,1811704,1811837-1811839,1811861,1811932,1812087-1812088,1812092,1812094,1812103,1812107,1812113,1812129,1812134-1812136,1812184,1812315,1812401,1812489,1812513,1812617,1813919,1814192,1814195,1814567,1814825,1814973,1814980,1815066,1815069,1815208,1815215,1815318-1815319,1815325,1815385,1815429,1815441-1815442,1815451,1815459,1815465,1815505,1815615,1815778,1815786,1815790,1815793,1815800,1815802,1815806,1815826,1815829,1815834,1815840,1815903,1815944,1815954,1816076,1816078,1816083,1816087,1816120,1816128,1816140,1816147,1816157,1816338,1816431,1816443,1816538,1816541,1816545,1816549-1816550,1816563,1816570,1816647,1816695-1816704,1816716,1816780,1816887,1817089,1817092,1817096,1817104,1817126,1817136-1817137,1817196,1817223,1817298,1817305,1817495,1817517,1817520,1817965,1817997,1817999-1818001,1818004,1818179,1818184,1818438,1818711,1818919,1818976,1819054,1819057,1819061,1819063,1819068,1819070-1819071,1
819074,1819077,1819148,1819903,1820003,1820005,1820138,1820153,1820194,1820196-1820197,1820202,1820206,1820222,1820265,1820272,1820276,1820279,1820281,1820302,1820634,1820701,1820705,1820932,1820981,1820994,1821157,1821167,1821197-1821203,1821225,1821234-1821235,1821251-1821252,1821293,1821328,1821381,1821490,1821708,1821932,1822001,1822016,1822109,1822111,1822116,1822150,1822232,1822524,1822644,1822775,1822945-1822946,1823006-1823007,1823102,1823111,1823150,1823161,1823262,1823306,1823310,1823337,1823481,1823483,1823492,1823495,1823540,1823620,1824154,1824201,1824228,1824254,1824263,1824297,1824301,1824311,1824323,1824357,1824766,1824774,1824892,1824901,1824959,1825054,1825516,1825519,1825713,1825738,1825872,1825909,1825943,1825987,1826048,1826111,1826115,1826209,1826361,1826375,1826688,1826731,1826794,1826812,1826817,1826825,1826867,1826869,1826958,1826975,1826977,1826979,1826985-1826986,1827150,1827203-1827204,1827223,1827297,1827299,1827363,1827368,1827396,1827408,1827428,182747
9,1827491,1827498,1827860,1828016,1828223-1828239,1828253,1828262,1828545,1828551,1828565,1828946,1829082,1829084,1829086,1829276,1829355,1829364,1829366,1829830,1829879,1829915,1829924,1829934,1829990-1829991,1830013,1830051,1830068
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739492,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409
,1741501,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744149,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745535,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747
404,1747506,1747536,1747924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750774,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753078,1753080,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208,1755214,1755224,1755227,1755230,1755629,1755646-1755647,1755650,1755653,1755675,1755680,1755683,1755693,1755717,1755731-1755737,1755812,1755828,1755884,1755890,1755918-1755919,1755942,1755958,1755960,1755970,1755993,1756013,1756019,1756039,1756056,1756083-1756114,1756175,1756288-1
756289,1756408-1756410,1756778,1756798,1756878,1756898,1756939,1757123-1757124,1757126,1757128,1757132-1757133,1757136,1757145,1757167-1757168,1757175,1757180,1757182,1757195,1757271,1757278,1757347,1757353-1757354,1757363,1757374,1757399,1757406,1757408,1757485,1757495,1757499,1757527,1757578,1757684,1757722,1757727,1757790,1757799,1757813,1757853,1757883,1757903,1757976,1757997,1758000,1758058,1758072-1758075,1758078-1758079,1758223,1758257,1758261,1758276,1758292,1758369,1758378-1758383,1758421,1758423,1758425-1758427,1758430,1758443,1758448,1758459,1758483,1758486-1758487,1758499,1758525,1758556,1758580,1758582,1758584,1758588,1758842,1759019,1759212,1759224,1759227,1759252,1759274,1759513-1759516,1759611,1759757,1759785-1759790,1760005,1760022,1760109-1760110,1760135,1760200-1760201,1760227,1760300,1760397,1760446,1760454,1760640,1760648,1761057,1761422,1761491,1761498,1761500-1761501,1761550,1761553,1761572,1761574,1761625-1761626,1761628,1761682,1761740,1761752,1762051-176205
3,1762123,1762168,1762172,1762182,1762201-1762202,1762204,1762208,1762288,1762296,1762324,1762348,1762353,1762362,1762374,1762492,1762503,1762505,1762541,1762608,1762710,1762753,1762766,1762769,1762944,1762947,1762953,1763167,1763179,1763232,1763259,1763271-1763272,1763276-1763277,1763319-1763320,1763370,1763372,1763375,1763377,1763393,1763412,1763430,1763450,1763462,1763505,1763511-1763512,1763516,1763518,1763520,1763529,1763559,1763565,1763568,1763574,1763619,1763634-1763635,1763718,1763748,1763786,1763798-1763799,1763810,1763813,1763815,1763819,1763831,1764083,1764425,1764646,1764648-1764649,1764659,1764663,1764682,1764862,1764866-1764867,1764870,1764897,1765133,1765299,1765358,1765439,1765447,1765495,1765502,1765569-1765571,1765579,1765582,1765589-1765590,1765794,1765801,1765813,1765815,1766276,1766514,1766533,1766535,1766664,1766675,1766698,1766700,1766822,1766834,1766840,1767047,1767328,1767362,1767368,1767429,1767471,1767505,1767641-1767644,1767903,1767945-1767946,1768123,176
8283,1768520,1768569,1768651,1768762,1768922,1769191,1769263,1769630,1769833,1769975,1770047,1770140,1770180,1770258,1770389,1770656,1770666,1770718,1770762,1770952,1770954,1770956,1770961,1771087,1771126,1771139,1771143,1771149,1771156,1771266,1771316,1771386,1771611,1771613,1771711,1771718,1771723-1771724,1771730,1771743,1771752,1771853,1771963,1772170,1772174,1772223,1772229,1772318-1772319,1772353,1772355,1772554,1772603-1772609,1772849,1772865,1772870,1772872,1772875-1772876,1772881,1772886,1772947,1773306,1773344,1773418,1773756,1773813-1773814,1774052,1774102,1774131,1774161,1774164,1774248,1774253,1774257,1774259,1774262,1774267,1774271,1774303,1774340,1774406,1774412,1774426,1774433,1774522-1774523,1774526,1774528-1774529,1774531,1774732-1774736,1774738-1774739,1774741-1774742,1774749,1774755,1774789,1774858,1774867,1775596,1775985-1775986,1776540,1776937,1776954,1777011,1777173,1777189,1777211,1777524,1777546,1777605,1777619,1777647,1777721-1777722,1777967,1778061,1778138-
1778139,1778141-1778150,1778154,1778275-1778276,1778295,1778342,1778348,1778404,1778424,1778426,1778575,1778582,1778600,1778603,1779312,1779370,1779545,1779612,1779622,1779641,1779654,1779708,1779718,1779897,1779899,1779932,1780109,1780120,1780189,1780196,1780488,1780514-1780516,1780601,1780606,1780609-1780610,1780652,1780991,1780995-1780996,1781174,1781569,1781975,1781986,1782116,1782383-1782384,1782566,1782572,1782775,1782779,1782814,1782857,1782868,1782934,1782946-1782947,1782956,1783144-1783147,1783155,1783408,1784182,1784565,1784583,1784657,1784669,1784712,1784723,1784751,1784767,1784806,1784818,1784911,1784926,1784956,1784963,1785032,1785037,1785245,1785271,1785310,1785317,1785643,1785667,1785762,1785774,1785823,1785935,1786051,1786070,1786123-1786124,1786127,1786129,1786341,1786378,1786844,1787200,1787250,1787405,1787662,1787701,1787703,1787938,1787959,1787973,1788223-1788224,1788228,1788232,1788241-1788242,1788248,1788323,1788328,1788455,1788460,1788473,1788543-1788544,17885
48,1788550,1788554,1788558,1788560,1788567,1788569,1788572,1788647,1788732,1788741,1788747,1788753,1788764,1788771,1788834,1788841,1788852,1788860,1788883,1788890,1789051,1789400,1789415,1789442-1789443,1789447,1789453,1789456,1789458,1789461-1789463,1789465-1789467,1789470,1789472,1789474,1789476,1789479-1789480,1789685,1789733,1789735,1789744-1789745,1789937,1789984,1790119,1790180,1790183,1790213,1790376,1790443,1790614,1790983,1790991,1791027-1791028,1791050,1791090,1791095-1791096,1791099,1791101-1791103,1791124,1791129,1791134,1791137,1791298,1791527,1791557,1791970,1792033,1792038,1792055,1792093,1792140,1792460,1792468,1792791,1792957,1793095,1793121,1793123,1793127,1793136,1793139,1793147-1793148,1793266,1793437,1793449,1793460,1793468,1793487,1793498,1793502,1793514,1793682-1793683,1793711-1793712,1793716,1793719,1793736,1793746,1793758,1793771,1793776,1793798,1793802,1793812,1793819,1793844,1793854,1793887,1793891,1793898,1793901-1793902,1793907,1793910,1793980,1794556,17
94674,1794941-1794942,1795278,1795289,1795298,1795305,1795813,1795893,1796090,1796275,1796693-1796695,1796729,1796806,1796836,1796873,1796878,1797197,1797338,1797344,1797354-1797355,1797516,1797528,1797532,1797536,1797540,1797543,1797677-1797678,1797692,1797694,1797748,1797828,1798126,1798238,1798280,1798371,1798379,1798384,1798390,1798395,1798419,1798505,1798507,1798509,1798533,1798546,1798561,1798977,1799115,1799126,1799164,1799190,1799194,1799216,1799231,1799250,1799253,1799285,1799368,1799412,1799498,1799514-1799515,1799677,1799701-1799702,1799704,1799709,1799885,1799893,1799895,1799916,1800136-1800138,1800202,1800309,1800390,1800617,1800629,1800791,1800816,1800850,1800864,1800867,1800874,1800885,1800980-1800981,1800984,1800988,1800992,1801195,1801686,1801688,1801709,1801717,1801774,1801778,1802083,1802195,1802204-1802205,1802210,1802225-1802226,1802229,1802403,1802475,1802490,1802788,1802796,1802803,1802820,1802828,1802833,1802836,1803030,1803038,1803055,1803135,1803165,1803174
,1803193,1803205,1803224,1803278,1803281,1803295,1803297,1803446,1803451,1803456,1803459,1803616,1803636,1803828,1803901,1803972,1804040,1804094,1804306,1804461-1804463,1804501,1804506-1804507,1804754,1804813,1804888,1804890,1804903-1804908,1804915,1804917,1805523-1805530,1805550,1805612-1805613,1805637,1805645,1805652,1805726,1805752,1805782,1805826,1806307,1806356,1806445,1806736,1806794,1806798,1806801,1806807,1806873,1806966,1806973,1807004,1807093,1807135,1807205-1807206,1807237,1807242,1807251,1807282,1807455,1807686,1807698,1807713,1807715,1807729,1807742,1807747,1807751,1807755,1808116,1808156,1808266,1808433,1808438-1808439,1808466,1808481-1808482,1808695,1808701,1808766,1809011,1809025,1809141,1809143-1809144,1809146,1809158,1809212,1809214,1809239,1809248,1809263,1809265,1809317,1809434,1809669,1809671,1809674,1809684,1809711,1809828,1809830,1809908-1809909,1809922,1810106,1810110,1810280,1810300,1811031,1811119,1811122,1811132,1811137,1811139,1811174,1811176,1811198-1811
201,1811203-1811206,1811220,1811235,1811246,1811327-1811329,1811350,1811560,1811704,1811837-1811839,1811861,1811932,1812087-1812088,1812092,1812094,1812103,1812107,1812113,1812129,1812134-1812136,1812184,1812315,1812401,1812489,1812513,1812617,1813919,1814192,1814195,1814567,1814825,1814973,1814980,1815066,1815069,1815208,1815215,1815318-1815319,1815325,1815385,1815429,1815441-1815442,1815451,1815459,1815465,1815505,1815615,1815778,1815786,1815790,1815793,1815800,1815802,1815806,1815826,1815829,1815834,1815840,1815903,1815944,1815954,1816076,1816078,1816083,1816087,1816120,1816128,1816140,1816147,1816157,1816338,1816431,1816443,1816538,1816541,1816545,1816549-1816550,1816563,1816570,1816647,1816695-1816704,1816716,1816780,1816887,1817089,1817092,1817096,1817104,1817126,1817136-1817137,1817196,1817223,1817298,1817305,1817495,1817517,1817520,1817965,1817997,1817999-1818001,1818004,1818179,1818184,1818438,1818711,1818919,1818976,1819054,1819057,1819061,1819063,1819068,1819070-1819071,1
819074,1819077,1819148,1819903,1820003,1820005,1820138,1820153,1820194,1820196-1820197,1820202,1820206,1820222,1820265,1820272,1820276,1820279,1820281,1820302,1820634,1820701,1820705,1820932,1820981,1820994,1821157,1821167,1821197-1821203,1821225,1821234-1821235,1821251-1821252,1821293,1821328,1821381,1821490,1821708,1821932,1822001,1822016,1822109,1822111,1822116,1822150,1822232,1822524,1822644,1822775,1822945-1822946,1823006-1823007,1823102,1823111,1823150,1823161,1823262,1823306,1823310,1823337,1823481,1823483,1823492,1823495,1823540,1823620,1824154,1824201,1824228,1824254,1824263,1824297,1824301,1824311,1824323,1824357,1824766,1824774,1824892,1824901,1824959,1825054,1825516,1825519,1825713,1825738,1825872,1825909,1825943,1825987,1826048,1826111,1826115,1826209,1826361,1826375,1826688,1826731,1826794,1826812,1826817,1826825,1826867,1826869,1826958,1826975,1826977,1826979,1826985-1826986,1827150,1827203-1827204,1827223,1827297,1827299,1827363,1827368,1827396,1827408,1827428,182747
9,1827491,1827498,1827860,1828016,1828223-1828239,1828253,1828262,1828545,1828551,1828565,1828946,1829082,1829084,1829086,1829276,1829355,1829364,1829366,1829830,1829879,1829915,1829924,1829934,1829990-1829991,1830013,1830051,1830068,1830087
Modified: tomcat/tc8.5.x/trunk/conf/catalina.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/conf/catalina.properties?rev=1830215&r1=1830214&r2=1830215&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/conf/catalina.properties (original)
+++ tomcat/tc8.5.x/trunk/conf/catalina.properties Thu Apr 26 13:15:21 2018
@@ -147,6 +147,9 @@ tomcat.util.buf.StringCache.byte.enabled
#tomcat.util.buf.StringCache.trainThreshold=500000
#tomcat.util.buf.StringCache.cacheSize=5000
+# This system property is deprecated. Use the relaxedPathChars
relaxedQueryChars
+# attributes of the Connector instead. These attributes permit a wider range of
+# characters to be configured as valid.
# Allow for changes to HTTP request validation
-# WARNING: Using this option will expose the server to CVE-2016-6816
+# WARNING: Using this option may expose the server to CVE-2016-6816
#tomcat.util.http.parser.HttpParser.requestTargetAllow=|
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1830215&r1=1830214&r2=1830215&view=diff
==============================================================================
---
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
(original)
+++
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
Thu Apr 26 13:15:21 2018
@@ -89,6 +89,24 @@ public abstract class AbstractHttp11Prot
// ------------------------------------------------ HTTP specific
properties
// ------------------------------------------ managed in the
ProtocolHandler
+ private String relaxedPathChars = null;
+ public String getRelaxedPathChars() {
+ return relaxedPathChars;
+ }
+ public void setRelaxedPathChars(String relaxedPathChars) {
+ this.relaxedPathChars = relaxedPathChars;
+ }
+
+
+ private String relaxedQueryChars = null;
+ public String getRelaxedQueryChars() {
+ return relaxedQueryChars;
+ }
+ public void setRelaxedQueryChars(String relaxedQueryChars) {
+ this.relaxedQueryChars = relaxedQueryChars;
+ }
+
+
private boolean allowHostHeaderMismatch = true;
/**
* Will Tomcat accept an HTTP 1.1 request where the host header does not
@@ -846,7 +864,8 @@ public abstract class AbstractHttp11Prot
Http11Processor processor = new Http11Processor(getMaxHttpHeaderSize(),
getAllowHostHeaderMismatch(), getRejectIllegalHeaderName(),
getEndpoint(),
getMaxTrailerSize(), allowedTrailerHeaders,
getMaxExtensionSize(),
- getMaxSwallowSize(), httpUpgradeProtocols,
getSendReasonPhrase());
+ getMaxSwallowSize(), httpUpgradeProtocols,
getSendReasonPhrase(),
+ relaxedPathChars, relaxedQueryChars);
processor.setAdapter(getAdapter());
processor.setMaxKeepAliveRequests(getMaxKeepAliveRequests());
processor.setConnectionUploadTimeout(getConnectionUploadTimeout());
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java?rev=1830215&r1=1830214&r2=1830215&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
Thu Apr 26 13:15:21 2018
@@ -133,6 +133,7 @@ public class Http11InputBuffer implement
private int parsingRequestLineQPos = -1;
private HeaderParsePosition headerParsePos;
private final HeaderParseData headerData = new HeaderParseData();
+ private final HttpParser httpParser;
/**
* Maximum allowed size of the HTTP request line plus headers plus any
@@ -149,13 +150,14 @@ public class Http11InputBuffer implement
// ----------------------------------------------------------- Constructors
public Http11InputBuffer(Request request, int headerBufferSize,
- boolean rejectIllegalHeaderName) {
+ boolean rejectIllegalHeaderName, HttpParser httpParser) {
this.request = request;
headers = request.getMimeHeaders();
this.headerBufferSize = headerBufferSize;
this.rejectIllegalHeaderName = rejectIllegalHeaderName;
+ this.httpParser = httpParser;
filterLibrary = new InputFilter[0];
activeFilters = new InputFilter[0];
@@ -472,10 +474,10 @@ public class Http11InputBuffer implement
end = pos;
} else if (chr == Constants.QUESTION && parsingRequestLineQPos
== -1) {
parsingRequestLineQPos = pos;
- } else if (parsingRequestLineQPos != -1 &&
!HttpParser.isQuery(chr)) {
+ } else if (parsingRequestLineQPos != -1 &&
!httpParser.isQueryRelaxed(chr)) {
// %nn decoding will be checked at the point of decoding
throw new
IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
- } else if (HttpParser.isNotRequestTarget(chr)) {
+ } else if (httpParser.isNotRequestTargetRelaxed(chr)) {
// This is a general check that aims to catch problems
early
// Detailed checking of each part of the request target
will
// happen in Http11Processor#prepareRequest()
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1830215&r1=1830214&r2=1830215&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java Thu
Apr 26 13:15:21 2018
@@ -87,6 +87,9 @@ public class Http11Processor extends Abs
protected final Http11OutputBuffer outputBuffer;
+ private final HttpParser httpParser;
+
+
/**
* Tracks how many internal filters are in the filter library so they
* are skipped when looking for pluggable filters.
@@ -224,12 +227,15 @@ public class Http11Processor extends Abs
public Http11Processor(int maxHttpHeaderSize, boolean
allowHostHeaderMismatch,
boolean rejectIllegalHeaderName, AbstractEndpoint<?> endpoint, int
maxTrailerSize,
Set<String> allowedTrailerHeaders, int maxExtensionSize, int
maxSwallowSize,
- Map<String,UpgradeProtocol> httpUpgradeProtocols, boolean
sendReasonPhrase) {
+ Map<String,UpgradeProtocol> httpUpgradeProtocols, boolean
sendReasonPhrase,
+ String relaxedPathChars, String relaxedQueryChars) {
super(endpoint);
userDataHelper = new UserDataHelper(log);
- inputBuffer = new Http11InputBuffer(request,
maxHttpHeaderSize,rejectIllegalHeaderName);
+ httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
+
+ inputBuffer = new Http11InputBuffer(request, maxHttpHeaderSize,
rejectIllegalHeaderName, httpParser);
request.setInputBuffer(inputBuffer);
outputBuffer = new Http11OutputBuffer(response, maxHttpHeaderSize,
sendReasonPhrase);
@@ -1146,7 +1152,7 @@ public class Http11Processor extends Abs
// Validate the characters in the URI. %nn decoding will be checked at
// the point of decoding.
for (int i = uriBC.getStart(); i < uriBC.getEnd(); i++) {
- if (!HttpParser.isAbsolutePath(uriB[i])) {
+ if (!httpParser.isAbsolutePathRelaxed(uriB[i])) {
response.setStatus(400);
setErrorState(ErrorState.CLOSE_CLEAN, null);
if (log.isDebugEnabled()) {
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java?rev=1830215&r1=1830214&r2=1830215&view=diff
==============================================================================
---
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
(original)
+++
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/http/parser/HttpParser.java
Thu Apr 26 13:15:21 2018
@@ -48,7 +48,6 @@ public class HttpParser {
private static final boolean[] IS_SEPARATOR = new boolean[ARRAY_SIZE];
private static final boolean[] IS_TOKEN = new boolean[ARRAY_SIZE];
private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE];
- private static final boolean[] IS_NOT_REQUEST_TARGET = new
boolean[ARRAY_SIZE];
private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE];
private static final boolean[] IS_ALPHA = new boolean[ARRAY_SIZE];
private static final boolean[] IS_NUMERIC = new boolean[ARRAY_SIZE];
@@ -56,23 +55,12 @@ public class HttpParser {
private static final boolean[] IS_UNRESERVED = new boolean[ARRAY_SIZE];
private static final boolean[] IS_SUBDELIM = new boolean[ARRAY_SIZE];
private static final boolean[] IS_USERINFO = new boolean[ARRAY_SIZE];
- private static final boolean[] IS_ABSOLUTEPATH = new boolean[ARRAY_SIZE];
- private static final boolean[] IS_QUERY = new boolean[ARRAY_SIZE];
+ private static final boolean[] IS_RELAXABLE = new boolean[ARRAY_SIZE];
+
+ private static final HttpParser DEFAULT;
- static {
- String prop =
System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow");
- if (prop != null) {
- for (int i = 0; i < prop.length(); i++) {
- char c = prop.charAt(i);
- if (c == '{' || c == '}' || c == '|') {
- REQUEST_TARGET_ALLOW[c] = true;
- } else {
- log.warn(sm.getString("http.invalidRequestTargetCharacter",
- Character.valueOf(c)));
- }
- }
- }
+ static {
for (int i = 0; i < ARRAY_SIZE; i++) {
// Control> 0-31, 127
if (i < 32 || i == 127) {
@@ -97,17 +85,6 @@ public class HttpParser {
IS_HEX[i] = true;
}
- // Not valid for request target.
- // Combination of multiple rules from RFC7230 and RFC 3986. Must be
- // ASCII, no controls plus a few additional characters excluded
- if (IS_CONTROL[i] || i > 127 ||
- i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>'
|| i == '\\' ||
- i == '^' || i == '`' || i == '{' || i == '|' || i == '}')
{
- if (!REQUEST_TARGET_ALLOW[i]) {
- IS_NOT_REQUEST_TARGET[i] = true;
- }
- }
-
// Not valid for HTTP protocol
// "HTTP/" DIGIT "." DIGIT
if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i
>= '0' && i <= '9')) {
@@ -126,8 +103,8 @@ public class HttpParser {
IS_UNRESERVED[i] = true;
}
- if (i == '!' || i == '$' || i == '&' || i == '\'' || i == '(' || i
== ')' || i == '*' || i == '+' ||
- i == ',' || i == ';' || i == '=') {
+ if (i == '!' || i == '$' || i == '&' || i == '\'' || i == '(' || i
== ')' || i == '*' ||
+ i == '+' || i == ',' || i == ';' || i == '=') {
IS_SUBDELIM[i] = true;
}
@@ -136,6 +113,50 @@ public class HttpParser {
IS_USERINFO[i] = true;
}
+ // The characters that are normally not permitted for which the
+ // restrictions may be relaxed when used in the path and/or query
+ // string
+ if (i == '\"' || i == '<' || i == '>' || i == '[' || i == '\\' ||
i == ']' ||
+ i == '^' || i == '`' || i == '{' || i == '|' || i == '}')
{
+ IS_RELAXABLE[i] = true;
+ }
+ }
+
+ String prop =
System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow");
+ if (prop != null) {
+ for (int i = 0; i < prop.length(); i++) {
+ char c = prop.charAt(i);
+ if (c == '{' || c == '}' || c == '|') {
+ REQUEST_TARGET_ALLOW[c] = true;
+ } else {
+ log.warn(sm.getString("http.invalidRequestTargetCharacter",
+ Character.valueOf(c)));
+ }
+ }
+ }
+
+ DEFAULT = new HttpParser(null, null);
+ }
+
+
+ private final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE];
+ private final boolean[] IS_ABSOLUTEPATH_RELAXED = new boolean[ARRAY_SIZE];
+ private final boolean[] IS_QUERY_RELAXED = new boolean[ARRAY_SIZE];
+
+
+ public HttpParser(String relaxedPathChars, String relaxedQueryChars) {
+ for (int i = 0; i < ARRAY_SIZE; i++) {
+ // Not valid for request target.
+ // Combination of multiple rules from RFC7230 and RFC 3986. Must be
+ // ASCII, no controls plus a few additional characters excluded
+ if (IS_CONTROL[i] || i > 127 ||
+ i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>'
|| i == '\\' ||
+ i == '^' || i == '`' || i == '{' || i == '|' || i == '}')
{
+ if (!REQUEST_TARGET_ALLOW[i]) {
+ IS_NOT_REQUEST_TARGET[i] = true;
+ }
+ }
+
/*
* absolute-path = 1*( "/" segment )
* segment = *pchar
@@ -143,8 +164,8 @@ public class HttpParser {
*
* Note pchar allows everything userinfo allows plus "@"
*/
- if (IS_USERINFO[i] || i == '@' || i == '/') {
- IS_ABSOLUTEPATH[i] = true;
+ if (IS_USERINFO[i] || i == '@' || i == '/' ||
REQUEST_TARGET_ALLOW[i]) {
+ IS_ABSOLUTEPATH_RELAXED[i] = true;
}
/*
@@ -152,10 +173,46 @@ public class HttpParser {
*
* Note query allows everything absolute-path allows plus "?"
*/
- if (IS_ABSOLUTEPATH[i] || i == '?') {
- IS_QUERY[i] = true;
+ if (IS_ABSOLUTEPATH_RELAXED[i] || i == '?' ||
REQUEST_TARGET_ALLOW[i]) {
+ IS_QUERY_RELAXED[i] = true;
}
}
+
+ relax(IS_ABSOLUTEPATH_RELAXED, relaxedPathChars);
+ relax(IS_QUERY_RELAXED, relaxedQueryChars);
+ }
+
+
+ public boolean isNotRequestTargetRelaxed(int c) {
+ // Fast for valid request target characters, slower for some incorrect
+ // ones
+ try {
+ return IS_NOT_REQUEST_TARGET[c];
+ } catch (ArrayIndexOutOfBoundsException ex) {
+ return true;
+ }
+ }
+
+
+ public boolean isAbsolutePathRelaxed(int c) {
+ // Fast for valid user info characters, slower for some incorrect
+ // ones
+ try {
+ return IS_ABSOLUTEPATH_RELAXED[c];
+ } catch (ArrayIndexOutOfBoundsException ex) {
+ return false;
+ }
+ }
+
+
+ public boolean isQueryRelaxed(int c) {
+ // Fast for valid user info characters, slower for some incorrect
+ // ones
+ try {
+ return IS_QUERY_RELAXED[c];
+ } catch (ArrayIndexOutOfBoundsException ex) {
+ return false;
+ }
}
@@ -211,13 +268,7 @@ public class HttpParser {
public static boolean isNotRequestTarget(int c) {
- // Fast for valid request target characters, slower for some incorrect
- // ones
- try {
- return IS_NOT_REQUEST_TARGET[c];
- } catch (ArrayIndexOutOfBoundsException ex) {
- return true;
- }
+ return DEFAULT.isNotRequestTargetRelaxed(c);
}
@@ -265,25 +316,24 @@ public class HttpParser {
}
- public static boolean isAbsolutePath(int c) {
+ private static boolean isRelaxable(int c) {
// Fast for valid user info characters, slower for some incorrect
// ones
try {
- return IS_ABSOLUTEPATH[c];
+ return IS_RELAXABLE[c];
} catch (ArrayIndexOutOfBoundsException ex) {
return false;
}
}
+ public static boolean isAbsolutePath(int c) {
+ return DEFAULT.isAbsolutePathRelaxed(c);
+ }
+
+
public static boolean isQuery(int c) {
- // Fast for valid user info characters, slower for some incorrect
- // ones
- try {
- return IS_QUERY[c];
- } catch (ArrayIndexOutOfBoundsException ex) {
- return false;
- }
+ return DEFAULT.isQueryRelaxed(c);
}
@@ -792,12 +842,27 @@ public class HttpParser {
}
}
+
+ private void relax(boolean[] flags, String relaxedChars) {
+ if (relaxedChars != null && relaxedChars.length() > 0) {
+ char[] chars = relaxedChars.toCharArray();
+ for (char c : chars) {
+ if (isRelaxable(c)) {
+ flags[c] = true;
+ IS_NOT_REQUEST_TARGET[c] = false;
+ }
+ }
+ }
+ }
+
+
private enum AllowsEnd {
NEVER,
FIRST,
ALWAYS
}
+
private enum DomainParseState {
NEW( true, false, false, AllowsEnd.NEVER, AllowsEnd.NEVER, "
at the start of"),
ALL_ALPHA( true, true, true, AllowsEnd.ALWAYS, AllowsEnd.ALWAYS, "
after a letter in"),
Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1830215&r1=1830214&r2=1830215&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Apr 26 13:15:21 2018
@@ -67,6 +67,12 @@
Update the internal fork of Apache Commons BCEL to r1829827 to add
early
access Java 11 support to the annotation scanning code. (markt)
</add>
+ <add>
+ <bug>62273</bug>: Implement configuration options to work-around
+ specification non-compliant user agents (including all the major
+ browsers) that do not correctly %nn encode URI paths and query strings
+ as required by RFC 7230 and RFC 3986. (markt)
+ </add>
<fix>
<bug>62297</bug>: Enable the <code>CrawlerSessionManagerValve</code> to
correctly handle bots that crawl multiple hosts and/or web applications
Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml?rev=1830215&r1=1830214&r2=1830215&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml Thu Apr 26 13:15:21 2018
@@ -567,6 +567,32 @@
illegal header will be ignored.</p>
</attribute>
+ <attribute name="relaxedPathChars" required="false">
+ <p>The <a href="https://tools.ietf.org/rfc/rfc7230.txt";>HTTP/1.1
+ specification</a> requires that certain characters are %nn encoded when
+ used in URI paths. Unfortunately, many user agents including all the
major
+ browsers are not compliant with this specification and use these
+ characters in unencoded form. To prevent Tomcat rejecting such requests,
+ this attribute may be used to specify the additional characters to allow.
+ If not specified, no addtional characters will be allowed. The value may
+ be any combination of the following characters:
+ <code>" < > [ \ ] ^ ` { | }</code> . Any other characters
+ present in the value will be ignored.</p>
+ </attribute>
+
+ <attribute name="relaxedQueryChars" required="false">
+ <p>The <a href="https://tools.ietf.org/rfc/rfc7230.txt";>HTTP/1.1
+ specification</a> requires that certain characters are %nn encoded when
+ used in URI query strings. Unfortunately, many user agents including all
+ the major browsers are not compliant with this specification and use
these
+ characters in unencoded form. To prevent Tomcat rejecting such requests,
+ this attribute may be used to specify the additional characters to allow.
+ If not specified, no addtional characters will be allowed. The value may
+ be any combination of the following characters:
+ <code>" < > [ \ ] ^ ` { | }</code> . Any other characters
+ present in the value will be ignored.</p>
+ </attribute>
+
<attribute name="restrictedUserAgents" required="false">
<p>The value is a regular expression (using <code>java.util.regex</code>)
matching the <code>user-agent</code> header of HTTP clients for which
Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml?rev=1830215&r1=1830214&r2=1830215&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/config/systemprops.xml Thu Apr 26
13:15:21 2018
@@ -673,11 +673,15 @@
</property>
<property name="tomcat.util.http.parser.HttpParser. requestTargetAllow">
+ <p><i>This system property is deprecated. Use the
+ <code>relaxedPathChars</code> and <code>relaxedQueryChars</code>
+ attributes of the Connector instead. These attributes permit a wider
range
+ of characters to be configured as valid.</i></p>
<p>A string comprised of characters the server should allow even when
they are not encoded.
These characters would normally result in a 400 status.</p>
<p>The acceptable characters for this property are: <code>|</code>,
<code>{</code>
, and <code>}</code></p>
- <p><strong>WARNING</strong>: Use of this option will expose the server
to CVE-2016-6816.
+ <p><strong>WARNING</strong>: Use of this option may expose the server to
CVE-2016-6816.
</p>
<p>If not specified, the default value of <code>null</code> will be
used.</p>
</property>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
