You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/12/13 16:48:14 UTC

[Bug 60475] New: Urls containing | as a delimiter cause http 400 errors

https://bz.apache.org/bugzilla/show_bug.cgi?id=60475

            Bug ID: 60475
           Summary: Urls containing | as a delimiter cause http 400 errors
           Product: Tomcat 8
           Version: 8.5.8
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: adriennf@opentext.com
  Target Milestone: ----

URLs like this cause HTTP 400 errors:

http://xxxxxx/yy/cs?func=sbroker.ExecuteExtCmd&cacheID=1132437720&extResultsAction=SaveResults&objects=|1|2

because  parameter formats using | as a delimiter

i.e. &objects=|1|2

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60475] Urls containing | as a delimiter cause http 400 errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60475

--- Comment #1 from adriennf@opentext.com ---
Unable to reproduce with Tomcat 8.5.6

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60475] Urls containing | as a delimiter cause http 400 errors

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60475

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Unencoded '|' are nor permitted anywhere in a request target. As part of the
fix for CVE-2016-6816, Tomcat now rejects them with a 400 response.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org