Bug 60616

Summary: Provide an option to relax Http Request Target validation
Product: Tomcat 8 Reporter: eolivelli <eolivelli>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED DUPLICATE    
Severity: critical CC: eolivelli
Priority: P2    
Version: 8.5.9   
Target Milestone: ----   
Hardware: PC   
OS: Linux   

Description eolivelli 2017-01-20 13:16:44 UTC
After the upgrade from 8.0.33 I have noticed in production several "400 Bad request" responses from Tomcat due to a new strict validation of the Request Target.

The Code which performs the validation is HttpParser#isNotRequestTarget and in Tomcat 8.5 it rejects characters like '|', '{' and '}'.

I know that they are not valid, by unfortunately it is not possible for me to change third party (Java and JS) libraries which do not encode those characters.

I run Embedded Tomcat as so I have a very simple fix which hacks that validation using reflection, but I would like to have at least one Java System Property to relax that validation in a "official" way.

This is my hack, for what is worth:

Field field = HttpParser.class.getDeclaredField("IS_NOT_REQUEST_TARGET");
field.setAccessible(true);
boolean[] IS_NOT_REQUEST_TARGET = (boolean[]) field.get(null);
int[] whitelist = new int[]{' ', '\"', '#', '<', '>', '\\', '^', '`', '{', '}', '|'};
for (int i : whitelist) {
    IS_NOT_REQUEST_TARGET[i] = false;
}

I can submit a patch, my idea is to make the initialization of the IS_NOT_REQUEST_TARGET array in a way that those characters will be considered as 'whitelisted'
Comment 1 Remy Maucherat 2017-01-20 13:21:45 UTC

*** This bug has been marked as a duplicate of bug 60594 ***