How to make Apache Tomcat 8.0.41 to allow the pipe character in URL GET request?

Question

Here's the error when I try to send the GET request with the URL in my java web app: my local machine url look like this http://localhost:8080/test?param1=1|2&param2=3343434

Feb 20, 2017 4:51:19 PM org.apache.coyote.http11.AbstractHttp11Processor process INFO: Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986 at org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:283) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1017) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1524) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1480) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Unknown Source)

I would like to ask is it possible to fix this issue without changing the Apache Tomcat version or make changes to my existing code. I was wondering whether that Apache Tomcat configuration file able to disable or bypass this checking?

Answer 1

This no longer works on purpose since Tomcat 8.5.8.

There was a security bug with invalid characters in the request url.

See https://bugzilla.redhat.com/show_bug.cgi?id=1397484

Encode the pipe as %7C

Answer 2

I've been banging my head at this for the past day. I've tried using mod_rewrite in tomcat in an attempt to urlencode '|' upon entry but the error persists as it is thrown before it reaches the rewrite engine.So no luck there. The only two working solutions that I found are:

1. Place a proxy before your tomcat (nginx), which can urlencode pipe without throwing a reasonable IllegalArgumentException.
2. Change the Tomcat version (not all of them throw reasonable IllegalArgumentExceptions with pipe).At the time of writing this I can confirm the latest 8.5.11 does throw a reasonable IllegalArgumentException but 8.5.5 works fine.