Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Tomcat 8 is not able to handle get request with '|' in query parameters?

I am using Tomcat 8. In one case I need to handle external request coming from external source where the request has a parameters where it is separated by |.

Request is looks like this:

http://localhost:8080/app/handleResponse?msg=name|id|

In this case I am getting following error.

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986     at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:467)     at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667)     at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)     at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:789)     at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)     at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)     at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)     at java.lang.Thread.run(Thread.java:745) 

EDIT 1

It works with Apache Tomcat 8.0.30 but not with Tomcat 8.5

like image 732
ashishjmeshram Avatar asked Dec 09 '16 05:12

ashishjmeshram


People also ask

Is Tomcat 8.0 still supported?

The Apache Tomcat team announces that support for Apache Tomcat 8.0. x will end on 30 June 2018. This means that after 30 June 2018: releases from the 8.0.

Why is my Tomcat not working?

Most common issue with Tomcat note starting is that Java is not configured properly, user trying to start Tomcat does not have permissions to do so, or another program is using port 8080 on that server.

Which version of Tomcat is compatible with Java 7?

Download Java Development Kit (JDK) versions 6 and 7 Building Apache Tomcat requires a Java 6 JDK to be installed and optionally a Java 7 JDK installed in parallel with Java 6 one. The Java 7 JDK is only required if you wish to build Tomcat with JSR-356 (Java WebSocket 1.1) support.

How do I add relaxedQueryChars to my spring boot?

To allow illegal or invalid chars in a request in Spring Boot, we need to set the “relaxedQueryChars” config. We can do that in two ways: Defining the ConfigurableServletWebServerFactory bean in the configuration. Adding the environment variable to the property file.


1 Answers

This behavior is introduced in all major Tomcat releases:

  • Tomcat 7.0.73, 8.0.39, 8.5.7

To fix, do one of the following:

  • set relaxedQueryChars to allow this character (recommended, see Lincoln's answer)
  • set requestTargetAllow option (deprecated in Tomcat 8.5) (see Jérémie's answer).
  • you can downgrade to one of older versions (not recommended - security)

Based on changelog, those changes could affect this behavior:

Tomcat 8.5.3:

Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response

Tomcat 8.5.7:

Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner.


The best option (following the standard) - you want to encode your URL on client:

encodeURI("http://localhost:8080/app/handleResponse?msg=name|id|") > http://localhost:8080/app/handleResponse?msg=name%7Cid%7C 

or just query string:

encodeURIComponent("msg=name|id|") > msg%3Dname%7Cid%7C 

It will secure you from other problematic characters (list of invalid URI characters).

like image 70
Piotr Lewandowski Avatar answered Oct 13 '22 11:10

Piotr Lewandowski