Bug 62415 - RFC 7230/3986 url requirement that prevents unencoded brackets should be optional, since it breaks existing sites
Summary: RFC 7230/3986 url requirement that prevents unencoded brackets should be opti...
Status: RESOLVED DUPLICATE of bug 62273
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.x-trunk
Hardware: PC All
: P2 blocker (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-29 09:34 UTC by remmeier
Modified: 2018-05-29 09:51 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description remmeier 2018-05-29 09:34:39 UTC
About the same as "Bug 60594 - RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites" but for other characters.

e.g. JSON:API specification performs filtering with:

GET /comments?filter[post]=1 HTTP/1.1

see http://jsonapi.org/recommendations/.

In Tomcat it does not seem to be supported anymore. Newer tomcat sources make use:

  String prop = System.getProperty("tomcat.util.http.parser.HttpParser.requestTargetAllow");
        if (prop != null) {
            for (int i = 0; i < prop.length(); i++) {
                char c = prop.charAt(i);
                if (c == '{' || c == '}' || c == '|') {
                    REQUEST_TARGET_ALLOW[c] = true;
                } else {
                    log.warn(sm.getString("http.invalidRequestTargetCharacter",
                            Character.valueOf(c)));
                }
            }
        }


But for some reason it only supports { } and |. It should [] and likely any other character as well. Currently it is not possible to use (current) Tomcat as well for such applications.
Comment 1 Mark Thomas 2018-05-29 09:51:35 UTC
http://jsonapi.org/recommendations/ is not compliant with RFC 7230/3986. I suggest you open a bug.

Bug 62273 implemented an extended range of options for relaxing the requirements of RFC 7230/3986 that should be sufficient for you to work-around the problem until such time that the root causes are fixed.

Note that the indications are that the browser vendors do not consider this specification non-compliance as a bug.

*** This bug has been marked as a duplicate of bug 62273 ***