Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

@PathVariable containing backslash quote returns 400 Bad Request

Tags:

spring-mvc

tomcat

If you run this simple RestController with Spring Boot (2.5.3):

@RestController
public class SampleRestController {

    @GetMapping("/search/{criteria}")
    public String hello(@PathVariable(name = "criteria") String criteria) {
        return "Hello: " + criteria;
    }

}

And try to open this link in your browser:

 http://localhost:8080/search/%22%5C%22bug%5C%22%22

Then you will get "400 Bad Request", returned by the embedded Tomcat.

I don't understand, is this a bug in Tomcat ? Is this not a valid URL ?

EDIT: As per some of the replies: I went step-by-step through the Tomcat 9.0.50 source-code and saw the line about ALLOW_BACKSLASH. And neither of the values true or false is good for me, because with true it replaced \ with / and with false it returns 400 Bad Request. What I needed was to allow backslash without replacing it with slash.

My question is really whether this is a bug in Tomcat, since for me the URL seems to be valid. I am not technically putting a \ into the URL, I am putting a %-encoded backslash. What is the purpose of the %-encoding if not to allow the user to send any character in the URL ?

like image 377
Sorin Postelnicu Avatar asked Oct 28 '25 04:10

Sorin Postelnicu

1 Answers

Refer to Piotr P. Karwasz comments above for better explanation.

The tomcat version correspond to Spring Boot (2.5.3) is 9.0.50. By checking the source code of CoyoteAdaptor and Tomcat System parameter documentation, the url checking is configured by a flag ALLOW_BACKSLASH through System Property org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH, with false as default value.

...
    protected static final boolean ALLOW_BACKSLASH =
        Boolean.parseBoolean(System.getProperty("org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH", "false"));

...

To allow backslash in the URL, we can add below when running the application.

-Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true

This property is replaced after tomcat 10.0.0-M4.

Remove org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH system property, replaced by the allowBackslash attribute on the Connector. (remm)

like image 183
samabcde Avatar answered Oct 30 '25 14:10

samabcde
Sign in to Comment

Related questions

How to upload octet-stream file to spring-mvc application?
How to get current user in every request in Spring Boot?
Inject value from properties in Spring Boot
Why my org.springframework.test.web.servlet.MockMvc framework is failing to resolve constructor parameters of a controller
Spring Controller - show JSON instead of Whitelabel Error Page (in browser)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!