You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/04/05 12:00:45 UTC

[Bug 63318] New: Invalid character found in the request target 400 error ignores ErrorReportValve

https://bz.apache.org/bugzilla/show_bug.cgi?id=63318

            Bug ID: 63318
           Summary: Invalid character found in the request target 400
                    error ignores ErrorReportValve
           Product: Tomcat 9
           Version: 9.0.17
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: laan@mercur.se
  Target Milestone: -----

Trying to load a page with an invalid character as query cause a 400 error (as
expected) but this error is not passed to the ErrorReportValve. This results in
a standard error page being displayed. 

Example surf to http://localhost/?]

Output is then:
HTTP Status 400 – Bad Request
Type Exception Report

Message Invalid character found in the request target. The valid characters are
defined in RFC 7230 and RFC 3986

Description The server cannot or will not process the request due to something
that is perceived to be a client error (e.g., malformed request syntax, invalid
request message framing, or deceptive request routing).

Exception

java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986
       
org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:467)
       
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:294)
       
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
       
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
       
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
       
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
       
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
       
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
       
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        java.base/java.lang.Thread.run(Thread.java:834)
Note The full stack trace of the root cause is available in the server logs.

Apache Tomcat/9.0.17

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 63318] Invalid character found in the request target 400 error ignores ErrorReportValve

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63318

--- Comment #4 from Larssa Andin <la...@mercur.se> ---
Ok, I now understand what went wrong. I configured the error report valve in
the context.xml and not in the server.xml. Most (all?) other errors ends up in
the context, except the 400 error that must be caught on the host level. With
better placement of the configuration it now works as expected.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 63318] Invalid character found in the request target 400 error ignores ErrorReportValve

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63318

Michael Osipov <mi...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Michael Osipov <mi...@apache.org> ---
Do you expect to see the query string in question?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 63318] Invalid character found in the request target 400 error ignores ErrorReportValve

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63318

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Testing confirms that the ErrorReportValve is used.

Please use the users mailing list if you require support on how to configure
the ErrorReportValve.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 63318] Invalid character found in the request target 400 error ignores ErrorReportValve

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63318

Michael Osipov <mi...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |michaelo@apache.org

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 63318] Invalid character found in the request target 400 error ignores ErrorReportValve

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63318

--- Comment #5 from Mark Thomas <ma...@apache.org> ---
In this case the 400 error occurred before the web application was mapped so
there was no Context identified. In those circumstances Tomcat can't route the
request to the Context because it doesn't know which one to use.

Generally, errors that occur before mapping will be 400 errors.

A Host level ErrorReportValve should be sufficient to catch all errors.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 63318] Invalid character found in the request target 400 error ignores ErrorReportValve

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63318

--- Comment #2 from Larssa Andin <la...@mercur.se> ---
No, it's really a 400 error. Query is invalid. Only problem is the information
leakage caused by not using the Error Report Valve. This is important to us as
we want to limit information leakage as much as possible.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org