[Bug 60594] RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60594

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|regression                  |enhancement

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Given that using an unencoded '{' or '}' in a URL is contrary to the RFCs and
that the fix that tightened the validation rules was in response to a security
vulnerability (CVE-2016-6816) I think it is unlikely that an option will be
introduced to make this validation optional.

It is quite likely that some sites could safely tolerate some characters.
However, it is also likely that the 'safe' set of invalid characters will vary
from site to site. That would therefore require a more complex configuration
option than simply allowing or disallowing a fixed set of characters.

Those interested in proposing a patch should look at lines 74-78 of
org.apache.tomcat.util.http.parser.HttpParser although I'll repeat I think it
is unlikely such a patch would be accepted.

All that code is static which means configuration via system properties -
something I'd prefer to see less of rather than more of in Tomcat.

For completeness, '|' seems to be another character that is fairly widely used
in unecoded form when it should be encoded.

Finally, changes related conformance to the relevant RFCs and Java EE
specifications are not treated as regressions. Therefore, I have moved this to
an enhancement request.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org