[乐意黎转载]Tomcat 8.0.39 And Tomcat 8.5.8 Fails Handling Requsest
来源:互联网 发布:融合软件下载 编辑:程序博客网 时间:2024/06/04 19:17
Hi,
we are using tomcat 8.0.30 without problems.
I have tested upgrade to 8.0.38 today and I got this error
More env. details JDK 8, tested on both Linux and Windows using different
JDK 8 updates (71, 111).
15-Nov-2016 17:14:51.189 INFO [http-nio-8080-exec-2]
org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP
request header
Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986
at
org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:283)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1017)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
The parameter in the request is this
/list?criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
Looks like this commit caused the exception
https://github.com/apache/tomcat80/commit/779d5d34e68e50d2f721897050b147106992f566
The commit message says:
Add additional checks for valid characters to the HTTP request line
parsing so invalid request lines are rejected sooner.
We don't get any error in 8.0.30 using same request.
The state in 8.0.30 was bug or 8.0.38 should process parameter
criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
?
Thanks.
Regards,
Zdenek Henek==================================================================
<snip/>
Neither '{' nor '}' are permitted characters in a URI and that includes
the query string.
Technically, 8.0.30 should have rejected the request but didn't.
As per the commit message, Tomcat has tightened up validation of
incoming HTTP requests to reject any that are not specification compliant.
For the query string, the relevant extracts from RFC 3986 are:
query = *( pchar / "/" / "?" )
pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
Hence, '{' and '}' are rejected.
Mark======================================================
Mark,
Based on your explanation above, shouldn't the following query parameter
be rejected?
http://somehost/someurl?plist=tagA=valueA|tagB=valueB|tagC=valueC
where tagA, tagB, tagC, valueA, valueB, valueC are all ALPHA or DIGIT.
I didn't see "|" listed as acceptable anywhere in RFC 3986.
However, above URL works in Tomcat 8.0.39.
I ask this because a developer has used the pipe symbol to separate
components. It plays havoc with mod_security rules, among other things.
. . . a bit puzzled
/mde/======================================================
I agree, such a request should be rejected.
I've just tested 9.0.x and 8.0.x and both rejected it. I don't think
there have been any changes since those releases. Are you sure that:
a) you are using 8.0.39
b) the client isn't encoding the '|' before it is sent to Tomcat
Me too. Any light you can shed would be helpful.
Mark======================================================
Mark,
I did a Wireshark capture. The client is not encoding '|' before
sending. The '=' is not being encoded either.
I figured it out. I have Apache 2.2 (on Linux) or Apache 2.4 (on
Windows) in front of Tomcat.
I connect the two using mod_jk. When going through the following:
browser --> apache httpd (2.2, 2.4) -->(AJP) Tomcat (8.0.39, 8.5.8)
the request works ('|', '=', and other hideousness).
When going through the following:
browser --> Tomcat (8.0.39, 8.5.8)
the request fails with the error message as posted by the original author.
I'll go through the Apache HTTPD and mod_jk configurations carefully to
see what's going on.
However, both are pretty stock configurations.
. . . thanks for your patience
/mde/The AJP checks are much less rigorous since it is assumed that the
front-end server will validate the data before forwarding. It looks like
httpd isn't as strict as Tomcat in this case.
MarkMark,
Also, the default for mod_jk JkOptions is:
JkOptions +ForwardURIProxy
which according to the documentation does a partial encoding before
sending the request off to Tomcat.
So in summary:
1. Apache HTTPD 2.2 and Apache HTTPD 2.4 are lenient when parsing URIs
2. Default JkOptions partially encode the request before sending
3. The resulting encoded URI is happily parsed by Tomcat
Removing Apache HTTPD 2.2 / Apache HTTPD 2.4 with the default mod_jk
configuration (JkOptions) and the URI will no longer work with Tomcat 8.x.
Time to get the developers to fix their code.
. . . just my two cents
/mde/
原文地址:https://qnalist.com/questions/7878193/tomcat-8-0-39-and-tomcat-8-5-8-fails-handling-requsest
本文地址: http://blog.csdn.net/aerchi/article/details/53483526
0 0
- [乐意黎转载]Tomcat 8.0.39 And Tomcat 8.5.8 Fails Handling Requsest
- [乐意黎转载]PhantomJS
- [乐意黎转载]git 常用命令
- [乐意黎转载]计算机英语词汇
- [乐意黎转载]认识<meta>
- [乐意黎转载] Understanding user-agent strings
- [乐意黎转载]前端 MVC 已死吗?
- [乐意黎转载]努力工作,能否脱贫致富?
- [乐意黎转载]PHP mysql_fetch_array() 函数
- [乐意黎转载]PHP mysql_affected_rows() 函数
- [乐意黎转载]PHP mysql_real_escape_string() 函数
- [乐意黎转载]PHP mysql_fetch_object() 函数
- [乐意黎转载]高效 jquery 的奥秘
- [乐意黎转载]CSS滑动下划线
- [乐意黎转载]PHP+Redis 队列实践
- [乐意黎转载]AngularJS TODO Application
- [乐意黎转载]localStorage使用总结
- [乐意黎转载]图片的DataURL技术
- 6模块---使用模块
- [UVa 11212] Editing a Book (迭代加深搜索)
- php调用shell创建的文件夹 权限问题
- 使用pthread_cancel终止线程的填坑历程
- 【leetcode】Ugly Number-----Java
- [乐意黎转载]Tomcat 8.0.39 And Tomcat 8.5.8 Fails Handling Requsest
- maven项目的一些常见问题
- c3p0详细配置
- C语言程序的文件格式
- ip最简校验
- 我是一块硬盘(上)
- 如何通过docker来搭建elasticsearch环境呢?
- 使用Tesseract-OCR训练文字识别记录
- JSP2.0表达式语言