You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2021/05/26 08:09:46 UTC
Re: Tomcat8.5.53: HTTP requests parsing error
On 26/05/2021 09:02, Nada Mahmoud Ahmed Aboueata wrote:
> Dear all,
>
> We are using Tomcat 8.5.53, and I have been noticing the attached below
> exceptions in my logs. After looking deeply what kind of requests that
> caused these exception, I noticed that some request include Null http
> protocol and some special characters that cannot be handled by Tomcat.
> Also, we have noticed that these kind of requests might crash the web
> server from time-time and caused OutOfMemoryError.
That is highly unlikely. When an invalid request is received, Tomcat
responds with a 400 response and closes the connection. The opportunity
for an OOME is slim to nonexistant.
> I am not sure if this issue is a bug in Tomcat 8.x that it cannot handle
> these requests, so could you please advise what’s recommended to avoid
> these exceptions?
There error message is clear:
"Invalid character found in the request target. The valid characters are
defined in RFC 7230 and RFC 3986."
The client is sending an invaild HTTP request and Tomcat is, correctly,
rejecting it.
The recommended way to address isses such as this is to fix the broken
clients that are sending invalid HTTP requests.
Mark
>
> 02-Mar-2021 01:33:04.846 INFO
> [https-jsse-nio-185.37.108.150-8443-exec-31]
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> request header
>
> Note: further occurrences of HTTP request parsing errors will be logged
> at DEBUG level.
>
> java.lang.IllegalArgumentException: Invalid character found in
> the HTTP protocol
>
> at
> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:567)
>
> at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:502)
>
> at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
>
> at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
>
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
>
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> at java.lang.Thread.run(Thread.java:748)
>
> 24-May-2021 23:04:00.693 INFO
> [https-jsse-nio-185.37.108.150-8443-exec-309]
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> request header
>
> Note: further occurrences of HTTP request parsing errors will be logged
> at DEBUG level.
>
> java.lang.IllegalArgumentException: Invalid character
> found in the request target. The valid characters are defined in RFC
> 7230 and RFC 3986
>
> at
> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:502)
>
> at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:502)
>
> at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
>
> at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818)
>
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623)
>
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> at java.lang.Thread.run(Thread.java:748)
>
> Thanks!
>
> Nada Aboueata
>
>
>
> Nada Mahmoud Ahmed Aboueata
> Application Developer
> Information Technology Services Department
> Tel.: +974 4403 6369
> Fax: +974 4403 3401
> Qatar University <http://www.qu.edu.qa>QU on Facebook
> <https://www.facebook.com/qataruniversity> QU on Twitter
> <https://twitter.com/qataruniversity> QU on YouTube
> <http://www.youtube.com/qataruniversity> QU on LinkedIn
> <http://www.linkedin.com/company/43068> QU on Instagram
> <http://instagram.com/qataruniversity> QU on Google+
> <https://plus.google.com/+qataruniversity/posts>
>
> *Our Vision:* To be regionally recognized for distinctive excellence in
> education and research, an institution of choice for students and
> scholars and a catalyst for the sustainable socio-economic development
> of Qatar.
>
> *رؤيتنا*: أن تعرف جامعة قطر إقليمياً بتميزها النوعي في التعليم والبحث
> وبكونها الخيار المفضل لطلبة العلم والباحثين ومحفزاً للتنمية الاقتصادية
> والاجتماعية المستدامة لدولة قطر.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat8.5.53: HTTP requests parsing error
Posted by Mark Thomas <ma...@apache.org>.
On 26/05/2021 09:47, Nada Mahmoud Ahmed Aboueata wrote:
> Dear Mark,
>
> Thanks for your reply,
>
> I have tried to address the issue of invalid characters by adding relaxedQueryChars parameter in the connector placed in server.xml , but still I am getting this exception!!
>
> relaxedQueryChars="[]|{}^\`"<>"
You may want to look at relaxedPathChars as well.
> Please note that we didn't face this issue with tomcat 7.x, and we start facing the issue with tomcat 8.x. Is this issue is addressed by current releases of Tomcat?
Which part of my previous reply was not clear?
This is NOT a Tomcat issue. Tomcat is doing exactly what it is meant to
do - implementing the HTTP specifications.
The issue is that you have one or more broken clients that are sending
invalid HTTP requests. The correct long term way to address this issue
is to fix the broken clients.
Tomcat 7 implemented the same checks as Tomcat 8. They were introduced
as part of the fix for CVE-2016-6816 in 7.0.73, 8.0.39, 8.5.8 and
9.0.0.M13 with the option to relax the checks introduced in 7.0.87,
8.0.52 and 8.5.31, 9.0.8.
Mark
>
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, May 26, 2021 11:10 AM
> To: users@tomcat.apache.org
> Subject: [ALERT: Non-QU Sender] Re: Tomcat8.5.53: HTTP requests parsing error
>
> On 26/05/2021 09:02, Nada Mahmoud Ahmed Aboueata wrote:
>> Dear all,
>>
>> We are using Tomcat 8.5.53, and I have been noticing the attached
>> below exceptions in my logs. After looking deeply what kind of
>> requests that caused these exception, I noticed that some request
>> include Null http protocol and some special characters that cannot be handled by Tomcat.
>> Also, we have noticed that these kind of requests might crash the web
>> server from time-time and caused OutOfMemoryError.
>
> That is highly unlikely. When an invalid request is received, Tomcat responds with a 400 response and closes the connection. The opportunity for an OOME is slim to nonexistant.
>
>> I am not sure if this issue is a bug in Tomcat 8.x that it cannot
>> handle these requests, so could you please advise what’s recommended
>> to avoid these exceptions?
>
> There error message is clear:
>
> "Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986."
>
> The client is sending an invaild HTTP request and Tomcat is, correctly, rejecting it.
>
> The recommended way to address isses such as this is to fix the broken clients that are sending invalid HTTP requests.
>
> Mark
>
>
>>
>> 02-Mar-2021 01:33:04.846 INFO
>> [https-jsse-nio-185.37.108.150-8443-exec-31]
>> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
>> request header
>>
>> Note: further occurrences of HTTP request parsing errors will be
>> logged at DEBUG level.
>>
>> java.lang.IllegalArgumentException: Invalid character found
>> in the HTTP protocol
>>
>> at
>> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11Inpu
>> tBuffer.java:567)
>>
>> at
>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:
>> 502)
>>
>> at
>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh
>> t.java:65)
>>
>> at
>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP
>> rotocol.java:818)
>>
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
>> nt.java:1623)
>>
>> at
>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
>> .java:49)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
>> ava:1149)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
>> java:624)
>>
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
>> ead.java:61)
>>
>> at java.lang.Thread.run(Thread.java:748)
>>
>> 24-May-2021 23:04:00.693 INFO
>> [https-jsse-nio-185.37.108.150-8443-exec-309]
>> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
>> request header
>>
>> Note: further occurrences of HTTP request parsing errors will be
>> logged at DEBUG level.
>>
>> java.lang.IllegalArgumentException: Invalid character
>> found in the request target. The valid characters are defined in RFC
>> 7230 and RFC 3986
>>
>> at
>> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11Inpu
>> tBuffer.java:502)
>>
>> at
>> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:
>> 502)
>>
>> at
>> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh
>> t.java:65)
>>
>> at
>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP
>> rotocol.java:818)
>>
>> at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
>> nt.java:1623)
>>
>> at
>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
>> .java:49)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
>> ava:1149)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
>> java:624)
>>
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
>> ead.java:61)
>>
>> at java.lang.Thread.run(Thread.java:748)
>>
>> Thanks!
>>
>> Nada Aboueata
>>
>>
>>
>> Nada Mahmoud Ahmed Aboueata
>> Application Developer
>> Information Technology Services Department
>> Tel.: +974 4403 6369
>> Fax: +974 4403 3401
>> Qatar University <http://www.qu.edu.qa>QU on Facebook
>> <https://www.facebook.com/qataruniversity> QU on Twitter
>> <https://twitter.com/qataruniversity> QU on YouTube
>> <http://www.youtube.com/qataruniversity> QU on LinkedIn
>> <http://www.linkedin.com/company/43068> QU on Instagram
>> <http://instagram.com/qataruniversity> QU on Google+
>> <https://plus.google.com/+qataruniversity/posts>
>>
>> *Our Vision:* To be regionally recognized for distinctive excellence
>> in education and research, an institution of choice for students and
>> scholars and a catalyst for the sustainable socio-economic development
>> of Qatar.
>>
>> *رؤيتنا*: أن تعرف جامعة قطر إقليمياً بتميزها النوعي في التعليم والبحث
>> وبكونها الخيار المفضل لطلبة العلم والباحثين ومحفزاً للتنمية الاقتصادية
>> والاجتماعية المستدامة لدولة قطر.
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [ALERT: Non-QU Sender] Re: Tomcat8.5.53: HTTP requests parsing
error
Posted by Nada Mahmoud Ahmed Aboueata <na...@qu.edu.qa>.
Dear Mark,
Thanks for your reply,
I have tried to address the issue of invalid characters by adding relaxedQueryChars parameter in the connector placed in server.xml , but still I am getting this exception!!
relaxedQueryChars="[]|{}^\`"<>"
Please note that we didn't face this issue with tomcat 7.x, and we start facing the issue with tomcat 8.x. Is this issue is addressed by current releases of Tomcat?
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, May 26, 2021 11:10 AM
To: users@tomcat.apache.org
Subject: [ALERT: Non-QU Sender] Re: Tomcat8.5.53: HTTP requests parsing error
On 26/05/2021 09:02, Nada Mahmoud Ahmed Aboueata wrote:
> Dear all,
>
> We are using Tomcat 8.5.53, and I have been noticing the attached
> below exceptions in my logs. After looking deeply what kind of
> requests that caused these exception, I noticed that some request
> include Null http protocol and some special characters that cannot be handled by Tomcat.
> Also, we have noticed that these kind of requests might crash the web
> server from time-time and caused OutOfMemoryError.
That is highly unlikely. When an invalid request is received, Tomcat responds with a 400 response and closes the connection. The opportunity for an OOME is slim to nonexistant.
> I am not sure if this issue is a bug in Tomcat 8.x that it cannot
> handle these requests, so could you please advise what’s recommended
> to avoid these exceptions?
There error message is clear:
"Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986."
The client is sending an invaild HTTP request and Tomcat is, correctly, rejecting it.
The recommended way to address isses such as this is to fix the broken clients that are sending invalid HTTP requests.
Mark
>
> 02-Mar-2021 01:33:04.846 INFO
> [https-jsse-nio-185.37.108.150-8443-exec-31]
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> request header
>
> Note: further occurrences of HTTP request parsing errors will be
> logged at DEBUG level.
>
> java.lang.IllegalArgumentException: Invalid character found
> in the HTTP protocol
>
> at
> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11Inpu
> tBuffer.java:567)
>
> at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:
> 502)
>
> at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh
> t.java:65)
>
> at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP
> rotocol.java:818)
>
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
> nt.java:1623)
>
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
> .java:49)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
> ava:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
> java:624)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
> ead.java:61)
>
> at java.lang.Thread.run(Thread.java:748)
>
> 24-May-2021 23:04:00.693 INFO
> [https-jsse-nio-185.37.108.150-8443-exec-309]
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP
> request header
>
> Note: further occurrences of HTTP request parsing errors will be
> logged at DEBUG level.
>
> java.lang.IllegalArgumentException: Invalid character
> found in the request target. The valid characters are defined in RFC
> 7230 and RFC 3986
>
> at
> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11Inpu
> tBuffer.java:502)
>
> at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:
> 502)
>
> at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh
> t.java:65)
>
> at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP
> rotocol.java:818)
>
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
> nt.java:1623)
>
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
> .java:49)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
> ava:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
> java:624)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
> ead.java:61)
>
> at java.lang.Thread.run(Thread.java:748)
>
> Thanks!
>
> Nada Aboueata
>
>
>
> Nada Mahmoud Ahmed Aboueata
> Application Developer
> Information Technology Services Department
> Tel.: +974 4403 6369
> Fax: +974 4403 3401
> Qatar University <http://www.qu.edu.qa>QU on Facebook
> <https://www.facebook.com/qataruniversity> QU on Twitter
> <https://twitter.com/qataruniversity> QU on YouTube
> <http://www.youtube.com/qataruniversity> QU on LinkedIn
> <http://www.linkedin.com/company/43068> QU on Instagram
> <http://instagram.com/qataruniversity> QU on Google+
> <https://plus.google.com/+qataruniversity/posts>
>
> *Our Vision:* To be regionally recognized for distinctive excellence
> in education and research, an institution of choice for students and
> scholars and a catalyst for the sustainable socio-economic development
> of Qatar.
>
> *رؤيتنا*: أن تعرف جامعة قطر إقليمياً بتميزها النوعي في التعليم والبحث
> وبكونها الخيار المفضل لطلبة العلم والباحثين ومحفزاً للتنمية الاقتصادية
> والاجتماعية المستدامة لدولة قطر.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org