Invalid characters in request header

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Invalid characters in request header

Yuval Schwartz
Tomcat version:8.0.43
jdk1.8.0_05

Hello,

I've asked a similar question in the past about illegal characters in the
http request header (May 15, 2017).

Certain users are able to send http requests to my server that contain the
space character.
This character is obviously not allowed. Tomcat recognizes it and throws an
IllegalArgumentException and a http response code 400 is returned to the
client.
From my logs:



*Error parsing HTTP request header...*
*java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986*

Is there any way to validate the url before it reaches tomcat so that I can
return a 404 if an invalid character is found in the url? I would just like
to avoid exceptions being thrown where possible.

Thank you.
Reply | Threaded
Open this post in threaded view
|

Re: Invalid characters in request header

Martynas Jusevičius
How is 404 beter than 400?

On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz <[hidden email]>
wrote:

> Tomcat version:8.0.43
> jdk1.8.0_05
>
> Hello,
>
> I've asked a similar question in the past about illegal characters in the
> http request header (May 15, 2017).
>
> Certain users are able to send http requests to my server that contain the
> space character.
> This character is obviously not allowed. Tomcat recognizes it and throws an
> IllegalArgumentException and a http response code 400 is returned to the
> client.
> From my logs:
>
>
>
> *Error parsing HTTP request header...*
> *java.lang.IllegalArgumentException: Invalid character found in the
> request
> target. The valid characters are defined in RFC 7230 and RFC 3986*
>
> Is there any way to validate the url before it reaches tomcat so that I can
> return a 404 if an invalid character is found in the url? I would just like
> to avoid exceptions being thrown where possible.
>
> Thank you.
>
Reply | Threaded
Open this post in threaded view
|

Re: Invalid characters in request header

Yuval Schwartz
Hello Martynas, thanks.

I'm not sure 404 is better than 400.

Wouldn't it be preferable to validate the url before it has a chance to
throw the exception?
I guess my only reason for preferring this is because I don't want it
crowding up my logs.
I figure if I can filter it out beforehand then it's not really an
exception? But I would be happy to hear thoughts on this as I'm still
fairly new to programming. I'm not sure what is considered best practice
here.

Thanks.

On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius <[hidden email]
> wrote:

> How is 404 beter than 400?
>
> On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz <[hidden email]>
> wrote:
>
> > Tomcat version:8.0.43
> > jdk1.8.0_05
> >
> > Hello,
> >
> > I've asked a similar question in the past about illegal characters in the
> > http request header (May 15, 2017).
> >
> > Certain users are able to send http requests to my server that contain
> the
> > space character.
> > This character is obviously not allowed. Tomcat recognizes it and throws
> an
> > IllegalArgumentException and a http response code 400 is returned to the
> > client.
> > From my logs:
> >
> >
> >
> > *Error parsing HTTP request header...*
> > *java.lang.IllegalArgumentException: Invalid character found in the
> > request
> > target. The valid characters are defined in RFC 7230 and RFC 3986*
> >
> > Is there any way to validate the url before it reaches tomcat so that I
> can
> > return a 404 if an invalid character is found in the url? I would just
> like
> > to avoid exceptions being thrown where possible.
> >
> > Thank you.
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Invalid characters in request header

Martynas Jusevičius
Tomcat is an HTTP sever, and if your client is sending invalid HTTP
requests, Tomcat is right to respond with 400. The solution is to fix the
client.

On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz <[hidden email]>
wrote:

> Hello Martynas, thanks.
>
> I'm not sure 404 is better than 400.
>
> Wouldn't it be preferable to validate the url before it has a chance to
> throw the exception?
> I guess my only reason for preferring this is because I don't want it
> crowding up my logs.
> I figure if I can filter it out beforehand then it's not really an
> exception? But I would be happy to hear thoughts on this as I'm still
> fairly new to programming. I'm not sure what is considered best practice
> here.
>
> Thanks.
>
> On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius <
> [hidden email]
> > wrote:
>
> > How is 404 beter than 400?
> >
> > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz <[hidden email]
> >
> > wrote:
> >
> > > Tomcat version:8.0.43
> > > jdk1.8.0_05
> > >
> > > Hello,
> > >
> > > I've asked a similar question in the past about illegal characters in
> the
> > > http request header (May 15, 2017).
> > >
> > > Certain users are able to send http requests to my server that contain
> > the
> > > space character.
> > > This character is obviously not allowed. Tomcat recognizes it and
> throws
> > an
> > > IllegalArgumentException and a http response code 400 is returned to
> the
> > > client.
> > > From my logs:
> > >
> > >
> > >
> > > *Error parsing HTTP request header...*
> > > *java.lang.IllegalArgumentException: Invalid character found in the
> > > request
> > > target. The valid characters are defined in RFC 7230 and RFC 3986*
> > >
> > > Is there any way to validate the url before it reaches tomcat so that I
> > can
> > > return a 404 if an invalid character is found in the url? I would just
> > like
> > > to avoid exceptions being thrown where possible.
> > >
> > > Thank you.
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Invalid characters in request header

Yuval Schwartz
Is that in my control? The url is not one that appears on my website, it's
something that was manually written by some client.

On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius <[hidden email]>
wrote:

> Tomcat is an HTTP sever, and if your client is sending invalid HTTP
> requests, Tomcat is right to respond with 400. The solution is to fix the
> client.
>
> On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz <[hidden email]>
> wrote:
>
> > Hello Martynas, thanks.
> >
> > I'm not sure 404 is better than 400.
> >
> > Wouldn't it be preferable to validate the url before it has a chance to
> > throw the exception?
> > I guess my only reason for preferring this is because I don't want it
> > crowding up my logs.
> > I figure if I can filter it out beforehand then it's not really an
> > exception? But I would be happy to hear thoughts on this as I'm still
> > fairly new to programming. I'm not sure what is considered best practice
> > here.
> >
> > Thanks.
> >
> > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius <
> > [hidden email]
> > > wrote:
> >
> > > How is 404 beter than 400?
> > >
> > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz <
> [hidden email]
> > >
> > > wrote:
> > >
> > > > Tomcat version:8.0.43
> > > > jdk1.8.0_05
> > > >
> > > > Hello,
> > > >
> > > > I've asked a similar question in the past about illegal characters in
> > the
> > > > http request header (May 15, 2017).
> > > >
> > > > Certain users are able to send http requests to my server that
> contain
> > > the
> > > > space character.
> > > > This character is obviously not allowed. Tomcat recognizes it and
> > throws
> > > an
> > > > IllegalArgumentException and a http response code 400 is returned to
> > the
> > > > client.
> > > > From my logs:
> > > >
> > > >
> > > >
> > > > *Error parsing HTTP request header...*
> > > > *java.lang.IllegalArgumentException: Invalid character found in the
> > > > request
> > > > target. The valid characters are defined in RFC 7230 and RFC 3986*
> > > >
> > > > Is there any way to validate the url before it reaches tomcat so
> that I
> > > can
> > > > return a 404 if an invalid character is found in the url? I would
> just
> > > like
> > > > to avoid exceptions being thrown where possible.
> > > >
> > > > Thank you.
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Invalid characters in request header

Martynas Jusevičius
Well then you're out of luck. Everything is as expected though, at least on
your end -- client sends invalid request, gets error response. What else do
you need?

On Sat, Sep 9, 2017 at 12:13 PM, Yuval Schwartz <[hidden email]>
wrote:

> Is that in my control? The url is not one that appears on my website, it's
> something that was manually written by some client.
>
> On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius <
> [hidden email]>
> wrote:
>
> > Tomcat is an HTTP sever, and if your client is sending invalid HTTP
> > requests, Tomcat is right to respond with 400. The solution is to fix the
> > client.
> >
> > On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz <
> [hidden email]>
> > wrote:
> >
> > > Hello Martynas, thanks.
> > >
> > > I'm not sure 404 is better than 400.
> > >
> > > Wouldn't it be preferable to validate the url before it has a chance to
> > > throw the exception?
> > > I guess my only reason for preferring this is because I don't want it
> > > crowding up my logs.
> > > I figure if I can filter it out beforehand then it's not really an
> > > exception? But I would be happy to hear thoughts on this as I'm still
> > > fairly new to programming. I'm not sure what is considered best
> practice
> > > here.
> > >
> > > Thanks.
> > >
> > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius <
> > > [hidden email]
> > > > wrote:
> > >
> > > > How is 404 beter than 400?
> > > >
> > > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz <
> > [hidden email]
> > > >
> > > > wrote:
> > > >
> > > > > Tomcat version:8.0.43
> > > > > jdk1.8.0_05
> > > > >
> > > > > Hello,
> > > > >
> > > > > I've asked a similar question in the past about illegal characters
> in
> > > the
> > > > > http request header (May 15, 2017).
> > > > >
> > > > > Certain users are able to send http requests to my server that
> > contain
> > > > the
> > > > > space character.
> > > > > This character is obviously not allowed. Tomcat recognizes it and
> > > throws
> > > > an
> > > > > IllegalArgumentException and a http response code 400 is returned
> to
> > > the
> > > > > client.
> > > > > From my logs:
> > > > >
> > > > >
> > > > >
> > > > > *Error parsing HTTP request header...*
> > > > > *java.lang.IllegalArgumentException: Invalid character found in
> the
> > > > > request
> > > > > target. The valid characters are defined in RFC 7230 and RFC 3986*
> > > > >
> > > > > Is there any way to validate the url before it reaches tomcat so
> > that I
> > > > can
> > > > > return a 404 if an invalid character is found in the url? I would
> > just
> > > > like
> > > > > to avoid exceptions being thrown where possible.
> > > > >
> > > > > Thank you.
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Invalid characters in request header

Alex O'Ree-2
Is there a way too log whatever the offending header was?

On Sep 9, 2017 6:30 AM, "Martynas Jusevičius" <[hidden email]>
wrote:

> Well then you're out of luck. Everything is as expected though, at least on
> your end -- client sends invalid request, gets error response. What else do
> you need?
>
> On Sat, Sep 9, 2017 at 12:13 PM, Yuval Schwartz <[hidden email]>
> wrote:
>
> > Is that in my control? The url is not one that appears on my website,
> it's
> > something that was manually written by some client.
> >
> > On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius <
> > [hidden email]>
> > wrote:
> >
> > > Tomcat is an HTTP sever, and if your client is sending invalid HTTP
> > > requests, Tomcat is right to respond with 400. The solution is to fix
> the
> > > client.
> > >
> > > On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz <
> > [hidden email]>
> > > wrote:
> > >
> > > > Hello Martynas, thanks.
> > > >
> > > > I'm not sure 404 is better than 400.
> > > >
> > > > Wouldn't it be preferable to validate the url before it has a chance
> to
> > > > throw the exception?
> > > > I guess my only reason for preferring this is because I don't want it
> > > > crowding up my logs.
> > > > I figure if I can filter it out beforehand then it's not really an
> > > > exception? But I would be happy to hear thoughts on this as I'm still
> > > > fairly new to programming. I'm not sure what is considered best
> > practice
> > > > here.
> > > >
> > > > Thanks.
> > > >
> > > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius <
> > > > [hidden email]
> > > > > wrote:
> > > >
> > > > > How is 404 beter than 400?
> > > > >
> > > > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz <
> > > [hidden email]
> > > > >
> > > > > wrote:
> > > > >
> > > > > > Tomcat version:8.0.43
> > > > > > jdk1.8.0_05
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I've asked a similar question in the past about illegal
> characters
> > in
> > > > the
> > > > > > http request header (May 15, 2017).
> > > > > >
> > > > > > Certain users are able to send http requests to my server that
> > > contain
> > > > > the
> > > > > > space character.
> > > > > > This character is obviously not allowed. Tomcat recognizes it and
> > > > throws
> > > > > an
> > > > > > IllegalArgumentException and a http response code 400 is returned
> > to
> > > > the
> > > > > > client.
> > > > > > From my logs:
> > > > > >
> > > > > >
> > > > > >
> > > > > > *Error parsing HTTP request header...*
> > > > > > *java.lang.IllegalArgumentException: Invalid character found in
> > the
> > > > > > request
> > > > > > target. The valid characters are defined in RFC 7230 and RFC
> 3986*
> > > > > >
> > > > > > Is there any way to validate the url before it reaches tomcat so
> > > that I
> > > > > can
> > > > > > return a 404 if an invalid character is found in the url? I would
> > > just
> > > > > like
> > > > > > to avoid exceptions being thrown where possible.
> > > > > >
> > > > > > Thank you.
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Invalid characters in request header

Christopher Schultz-2
In reply to this post by Martynas Jusevičius
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martynas,

On 9/9/17 6:29 AM, Martynas Jusevičius wrote:
> Well then you're out of luck. Everything is as expected though, at
> least on your end -- client sends invalid request, gets error
> response. What else do you need?

He's specifically asking for a way to stop logging this error,
possibly by filtering before the error has a chance to be logged.

Yuval, there is no way to do this with Tomcat. If you are fronting
Tomcat with a web server, that's probably the place to do this kind of
filtering

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZuCs/AAoJEBzwKT+lPKRYvEEP/2saVZo0s0esHSwQHqWXbe6S
bJjyT0vBi3n1q+UK5LK31vCYI2yJfQNMTdeTHL4VUbVs4d8PRrL4Nm4VBCCqc2ri
XckvnthtTwo/hT+e0xWaP4xeF+Y0ZqxSFcm6LMbuiLelXldiZ41/wgCIrKZfxmZZ
LNPCohMrNEEgVDckQAn6HC6rBAbaiikbfehGQUQvE2fd5szlW0iT1NOpZ/14xfxZ
hCdaDZ+MM1ZJ2XDtKJ0zQAPRvJ/83FxvwuL9iI7gevWoKXCr+WhkU+7myiwJauM+
qzhTfYWJBTbF8bMCy5fmZ32gykDWC+Dko0gxU8L/otC5cKy9e6W/LYE4TaI0T1dF
LtGRyxQO49dYXKVJOkUQJ8LW/SB7i/CJMh9kmaC8/ukdf1rYIj7wRH6WCxIpvlPa
nBnc5M6xuxGxXSbuNsk388XgxsnAk9EBxSzJ0n0hKymHZTisf/STIxnqMKcYMsRx
1qN6h1dI5tn5skpaHoin4nRrs6nnOYhgaig9bix8qvkbcJk888fBYJTsE6rvjJ0q
a6IeCokVUeZBrBpXfYTlxgC5f2WfVVtUAm2dIL5VZJBHJFirNjnpb8NJw/9xVQ36
0wwRipcrR9ADFCYZ6XAkq44pDyrTh2a6yacOVUnwx+d6lBFvz34kda3QmcunsbQ2
2QlesHic9gIvPpIC0rO3
=mbeF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]