https://bz.apache.org/bugzilla/show_bug.cgi?id=60616
Bug ID: 60616
Summary: Provide an option to relax Http Request Target
validation
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ----
After the upgrade from 8.0.33 I have noticed in production several "400 Bad
request" responses from Tomcat due to a new strict validation of the Request
Target.
The Code which performs the validation is HttpParser#isNotRequestTarget and in
Tomcat 8.5 it rejects characters like '|', '{' and '}'.
I know that they are not valid, by unfortunately it is not possible for me to
change third party (Java and JS) libraries which do not encode those
characters.
I run Embedded Tomcat as so I have a very simple fix which hacks that
validation using reflection, but I would like to have at least one Java System
Property to relax that validation in a "official" way.
This is my hack, for what is worth:
Field field = HttpParser.class.getDeclaredField("IS_NOT_REQUEST_TARGET");
field.setAccessible(true);
boolean[] IS_NOT_REQUEST_TARGET = (boolean[]) field.get(null);
int[] whitelist = new int[]{' ', '\"', '#', '<', '>', '\\', '^', '`', '{', '}',
'|'};
for (int i : whitelist) {
IS_NOT_REQUEST_TARGET[i] = false;
}
I can submit a patch, my idea is to make the initialization of the
IS_NOT_REQUEST_TARGET array in a way that those characters will be considered
as 'whitelisted'
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
