You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "info@flyingfischer.ch" <in...@flyingfischer.ch> on 2016/12/03 13:28:33 UTC
Valid characters in http requests: Tomcat 8.38 -> 8.39
Between Tomcat 8.38 und 8.39 there seems to be a change in handling URL
parameters:
¶mxy=1|2
This will cause Tomcat to return a 400 error since 8.39. It is the
character "|" that causes the new behaviour. I suspect these changes:
https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360
First thing to know:
Is this intended?
Second:
Anyway to restore the previous behaviour of 8.38 with a config option.
Thanks for considering!
Best regards
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Valid characters in http requests: Tomcat 8.38 -> 8.39
Posted by "info@flyingfischer.ch" <in...@flyingfischer.ch>.
Am 03.12.2016 um 20:51 schrieb Mark Thomas:
> On 03/12/2016 19:46, info@flyingfischer.ch wrote:
>> Am 03.12.2016 um 20:29 schrieb Mark Thomas:
>>> On 03/12/2016 13:28, info@flyingfischer.ch wrote:
>>>> Between Tomcat 8.38 und 8.39 there seems to be a change in handling URL
>>>> parameters:
>>>>
>>>> ¶mxy=1|2
>>>>
>>>> This will cause Tomcat to return a 400 error since 8.39. It is the
>>>> character "|" that causes the new behaviour. I suspect these changes:
>>>>
>>>> https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360
>>>>
>>>>
>>>>
>>>> First thing to know:
>>>>
>>>> Is this intended?
>>> Yes.
>>>
>>>> Second:
>>>>
>>>> Anyway to restore the previous behaviour of 8.38 with a config option.
>>> No, since the changes were in response to a security issue.
>>>
>>> '|' is not a valid character in any part of an HTTP/1.1 request-target.
>>> You need to fix whatever broken client is sending '|' without %
>>> encoding it.
>>>
>>> Mark
>> Unfortunately (for me) this will not be possible: This is a kind of a
>> proxy/rewriter situation where I cannot control the input being sent. I
>> need to be able to deal with any kind of request you will see out there
>> in the wild.
> If a request contains and unencoded '|' in the request-target, the
> correct way to deal with it is to return a 400.
>
> Mark
Thanks for the reply. I do not question the behaviour to be correct. I
still will need to deal with it. I need kind of a browser compliant
behaviour, since this is an URL-Rewriter, running Tomcat in front. 400
is not an option in my scenario.
No better way than patch and rebuild?
Markus
>
>> I assume it is this part, responsible for the new behaviour?
>>
>> // Not valid for request target.
>> // Combination of multiple rules from RFC7230 and RFC 3986.
>> Must be
>> // ASCII, no controls plus a few additional characters excluded
>> if (IS_CONTROL[i] || i > 127 ||
>> i == ' ' || i == '\"' || i == '#' || i == '<' || i
>> == '>' || i == '\\' ||
>> i == '^' || i == '`' || i == '{' || i == '|' || i
>> == '}') {
>> IS_NOT_REQUEST_TARGET[i] = true;
>> }
>>
>> Do you see any better way to influence this, instead of patching and
>> rebuilding from scratch?
>>
>> Thanks!
>> Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Valid characters in http requests: Tomcat 8.38 -> 8.39
Posted by Mark Thomas <ma...@apache.org>.
On 03/12/2016 19:46, info@flyingfischer.ch wrote:
> Am 03.12.2016 um 20:29 schrieb Mark Thomas:
>> On 03/12/2016 13:28, info@flyingfischer.ch wrote:
>>> Between Tomcat 8.38 und 8.39 there seems to be a change in handling URL
>>> parameters:
>>>
>>> ¶mxy=1|2
>>>
>>> This will cause Tomcat to return a 400 error since 8.39. It is the
>>> character "|" that causes the new behaviour. I suspect these changes:
>>>
>>> https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360
>>>
>>>
>>>
>>> First thing to know:
>>>
>>> Is this intended?
>> Yes.
>>
>>> Second:
>>>
>>> Anyway to restore the previous behaviour of 8.38 with a config option.
>> No, since the changes were in response to a security issue.
>>
>> '|' is not a valid character in any part of an HTTP/1.1 request-target.
>> You need to fix whatever broken client is sending '|' without %
>> encoding it.
>>
>> Mark
>
> Unfortunately (for me) this will not be possible: This is a kind of a
> proxy/rewriter situation where I cannot control the input being sent. I
> need to be able to deal with any kind of request you will see out there
> in the wild.
If a request contains and unencoded '|' in the request-target, the
correct way to deal with it is to return a 400.
Mark
>
> I assume it is this part, responsible for the new behaviour?
>
> // Not valid for request target.
> // Combination of multiple rules from RFC7230 and RFC 3986.
> Must be
> // ASCII, no controls plus a few additional characters excluded
> if (IS_CONTROL[i] || i > 127 ||
> i == ' ' || i == '\"' || i == '#' || i == '<' || i
> == '>' || i == '\\' ||
> i == '^' || i == '`' || i == '{' || i == '|' || i
> == '}') {
> IS_NOT_REQUEST_TARGET[i] = true;
> }
>
> Do you see any better way to influence this, instead of patching and
> rebuilding from scratch?
>
> Thanks!
> Markus
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Valid characters in http requests: Tomcat 8.38 -> 8.39
Posted by "info@flyingfischer.ch" <in...@flyingfischer.ch>.
Am 03.12.2016 um 20:29 schrieb Mark Thomas:
> On 03/12/2016 13:28, info@flyingfischer.ch wrote:
>> Between Tomcat 8.38 und 8.39 there seems to be a change in handling URL
>> parameters:
>>
>> ¶mxy=1|2
>>
>> This will cause Tomcat to return a 400 error since 8.39. It is the
>> character "|" that causes the new behaviour. I suspect these changes:
>>
>> https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360
>>
>>
>> First thing to know:
>>
>> Is this intended?
> Yes.
>
>> Second:
>>
>> Anyway to restore the previous behaviour of 8.38 with a config option.
> No, since the changes were in response to a security issue.
>
> '|' is not a valid character in any part of an HTTP/1.1 request-target.
> You need to fix whatever broken client is sending '|' without % encoding it.
>
> Mark
Unfortunately (for me) this will not be possible: This is a kind of a
proxy/rewriter situation where I cannot control the input being sent. I
need to be able to deal with any kind of request you will see out there
in the wild.
I assume it is this part, responsible for the new behaviour?
// Not valid for request target.
// Combination of multiple rules from RFC7230 and RFC 3986.
Must be
// ASCII, no controls plus a few additional characters excluded
if (IS_CONTROL[i] || i > 127 ||
i == ' ' || i == '\"' || i == '#' || i == '<' || i
== '>' || i == '\\' ||
i == '^' || i == '`' || i == '{' || i == '|' || i
== '}') {
IS_NOT_REQUEST_TARGET[i] = true;
}
Do you see any better way to influence this, instead of patching and
rebuilding from scratch?
Thanks!
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Valid characters in http requests: Tomcat 8.38 -> 8.39
Posted by Mark Thomas <ma...@apache.org>.
On 03/12/2016 13:28, info@flyingfischer.ch wrote:
> Between Tomcat 8.38 und 8.39 there seems to be a change in handling URL
> parameters:
>
> ¶mxy=1|2
>
> This will cause Tomcat to return a 400 error since 8.39. It is the
> character "|" that causes the new behaviour. I suspect these changes:
>
> https://github.com/apache/tomcat/commit/516bda676ac8d0284da3e0295a7df70391315360
>
>
> First thing to know:
>
> Is this intended?
Yes.
>
> Second:
>
> Anyway to restore the previous behaviour of 8.38 with a config option.
No, since the changes were in response to a security issue.
'|' is not a valid character in any part of an HTTP/1.1 request-target.
You need to fix whatever broken client is sending '|' without % encoding it.
Mark
>
> Thanks for considering!
>
> Best regards
> Markus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org