Discussion:
Issue with square brackets [] in Tomcat 7.0.90
Jasper Timm
2018-10-30 09:53:07 UTC
Permalink
Hi all,

I'm facing an issue handling square brackets which seems to have been
introduced sometime between 7.0.87 and 7.0.90.

I'm running from the docker hub image of tomcat, previously 'tomcat:7-jre8'
but after that was updated to 7.0.90 I've pinned it back to
'tomcat:7.0.86-jre8' where I no longer seem to face the issue.

I'm running a .war file of some open source software called DHIS2 (v2.27).
When running 7.0.90, if I send requests of the following form:

http://<host>/api/organisationUnits?fields=parent[id]

I get the following error in the logs:

Oct 29, 2018 5:04:01 PM org.apache.coyote.http11.AbstractHttp11Processor
process
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986
at
org.apache.coyote.http11.InternalAprInputBuffer.parseRequestLine(InternalAprInputBuffer.java:240)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1049)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at
org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2492)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

If I URL encode the square brackets the request seems to be fine.

Thanks,

- Jasper
--
Jasper Timm

Lead Software Developer

<http://www.ehealthafrica.org/>

eHealth Africa
4A Renner Drive
Off Wilkinson Road (behind Monoprix Supermarket)
Freetown, Sierra Leone

mobile +232 99891119

--

<https://web.facebook.com/EHealthAfrica>
<https://twitter.com/eHealth_africa>
<https://www.linkedin.com/company/1449060/>
<https://www.instagram.com/ehealthafrica/>
<https://www.youtube.com/channel/UCcgM_HhTcg5M9Ji3Of6QmUg>
Mark Thomas
2018-10-30 10:11:04 UTC
Permalink
Post by Jasper Timm
Hi all,
I'm facing an issue handling square brackets which seems to have been
introduced sometime between 7.0.87 and 7.0.90.
I'm running from the docker hub image of tomcat, previously 'tomcat:7-jre8'
but after that was updated to 7.0.90 I've pinned it back to
'tomcat:7.0.86-jre8' where I no longer seem to face the issue.
I'm running a .war file of some open source software called DHIS2 (v2.27).
http://<host>/api/organisationUnits?fields=parent[id]
Oct 29, 2018 5:04:01 PM org.apache.coyote.http11.AbstractHttp11Processor
process
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986
at
org.apache.coyote.http11.InternalAprInputBuffer.parseRequestLine(InternalAprInputBuffer.java:240)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1049)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at
org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2492)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
If I URL encode the square brackets the request seems to be fine.
As expected. As per RFC 7230 and RFC 3986 both '[' and ']' must be
encoded if used in the path or query string in a URI.

Request line parsing (including URI validation) was made more spec
compliant as a result of CVE-2016-6816 to reduce the risk of similar
vulnerabilities.

You can relax the validation with relaxedPathChars and/or
relaxedQueryChars on the Connector but fixing whatever is generating the
invalid URIs is going to be a better long term solution.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Jasper Timm
2018-10-30 10:21:56 UTC
Permalink
Thanks for the quick response Mark. That makes sense.

I'll let the DHIS2 devs know they should stop using square brackets.

Cheers,

- Jasper
Post by Jasper Timm
Post by Jasper Timm
Hi all,
I'm facing an issue handling square brackets which seems to have been
introduced sometime between 7.0.87 and 7.0.90.
I'm running from the docker hub image of tomcat, previously
'tomcat:7-jre8'
Post by Jasper Timm
but after that was updated to 7.0.90 I've pinned it back to
'tomcat:7.0.86-jre8' where I no longer seem to face the issue.
I'm running a .war file of some open source software called DHIS2
(v2.27).
Post by Jasper Timm
http://<host>/api/organisationUnits?fields=parent[id]
Oct 29, 2018 5:04:01 PM org.apache.coyote.http11.AbstractHttp11Processor
process
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the
request
Post by Jasper Timm
target. The valid characters are defined in RFC 7230 and RFC 3986
at
org.apache.coyote.http11.InternalAprInputBuffer.parseRequestLine(InternalAprInputBuffer.java:240)
Post by Jasper Timm
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1049)
Post by Jasper Timm
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
Post by Jasper Timm
at
org.apache.tomcat.util.net
.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2492)
Post by Jasper Timm
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
Post by Jasper Timm
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Post by Jasper Timm
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Post by Jasper Timm
at java.lang.Thread.run(Thread.java:748)
If I URL encode the square brackets the request seems to be fine.
As expected. As per RFC 7230 and RFC 3986 both '[' and ']' must be
encoded if used in the path or query string in a URI.
Request line parsing (including URI validation) was made more spec
compliant as a result of CVE-2016-6816 to reduce the risk of similar
vulnerabilities.
You can relax the validation with relaxedPathChars and/or
relaxedQueryChars on the Connector but fixing whatever is generating the
invalid URIs is going to be a better long term solution.
Mark
---------------------------------------------------------------------
--
Jasper Timm

Lead Software Developer

<http://www.ehealthafrica.org/>

eHealth Africa
4A Renner Drive
Off Wilkinson Road (behind Monoprix Supermarket)
Freetown, Sierra Leone

mobile +232 99891119

--

<https://web.facebook.com/EHealthAfrica>
<https://twitter.com/eHealth_africa>
<https://www.linkedin.com/company/1449060/>
<https://www.instagram.com/ehealthafrica/>
<https://www.youtube.com/channel/UCcgM_HhTcg5M9Ji3Of6QmUg>

Loading...