Bug 60616 - Provide an option to relax Http Request Target validation
Summary: Provide an option to relax Http Request Target validation
Status: RESOLVED DUPLICATE of bug 60594
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.9
Hardware: PC Linux
: P2 critical (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2017-01-20 13:16 UTC by eolivelli
Modified: 2017-01-20 13:21 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description eolivelli 2017-01-20 13:16:44 UTC
After the upgrade from 8.0.33 I have noticed in production several "400 Bad request" responses from Tomcat due to a new strict validation of the Request Target.

The Code which performs the validation is HttpParser#isNotRequestTarget and in Tomcat 8.5 it rejects characters like '|', '{' and '}'.

I know that they are not valid, by unfortunately it is not possible for me to change third party (Java and JS) libraries which do not encode those characters.

I run Embedded Tomcat as so I have a very simple fix which hacks that validation using reflection, but I would like to have at least one Java System Property to relax that validation in a "official" way.

This is my hack, for what is worth:

Field field = HttpParser.class.getDeclaredField("IS_NOT_REQUEST_TARGET");
boolean[] IS_NOT_REQUEST_TARGET = (boolean[]) field.get(null);
int[] whitelist = new int[]{' ', '\"', '#', '<', '>', '\\', '^', '`', '{', '}', '|'};
for (int i : whitelist) {
    IS_NOT_REQUEST_TARGET[i] = false;

I can submit a patch, my idea is to make the initialization of the IS_NOT_REQUEST_TARGET array in a way that those characters will be considered as 'whitelisted'
Comment 1 Remy Maucherat 2017-01-20 13:21:45 UTC

*** This bug has been marked as a duplicate of bug 60594 ***