Issue with square brackets [] in Tomcat 7.0.90

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with square brackets [] in Tomcat 7.0.90

Jasper Timm
Hi all,

I'm facing an issue handling square brackets which seems to have been
introduced sometime between 7.0.87 and 7.0.90.

I'm running from the docker hub image of tomcat, previously 'tomcat:7-jre8'
but after that was updated to 7.0.90 I've pinned it back to
'tomcat:7.0.86-jre8' where I no longer seem to face the issue.

I'm running a .war file of some open source software called DHIS2 (v2.27).
When running 7.0.90, if I send requests of the following form:

http://<host>/api/organisationUnits?fields=parent[id]

I get the following error in the logs:

Oct 29, 2018 5:04:01 PM org.apache.coyote.http11.AbstractHttp11Processor
process
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986
at
org.apache.coyote.http11.InternalAprInputBuffer.parseRequestLine(InternalAprInputBuffer.java:240)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1049)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at
org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2492)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

If I URL encode the square brackets the request seems to be fine.

Thanks,

- Jasper

--

Jasper Timm

Lead Software Developer

<http://www.ehealthafrica.org/>

eHealth Africa
4A Renner Drive
Off Wilkinson Road (behind Monoprix Supermarket)
Freetown, Sierra Leone

mobile +232 99891119

--

<https://web.facebook.com/EHealthAfrica>
<https://twitter.com/eHealth_africa>
<https://www.linkedin.com/company/1449060/>
<https://www.instagram.com/ehealthafrica/>
<https://www.youtube.com/channel/UCcgM_HhTcg5M9Ji3Of6QmUg>
Reply | Threaded
Open this post in threaded view
|

Re: Issue with square brackets [] in Tomcat 7.0.90

markt
On 30/10/18 09:53, Jasper Timm wrote:

> Hi all,
>
> I'm facing an issue handling square brackets which seems to have been
> introduced sometime between 7.0.87 and 7.0.90.
>
> I'm running from the docker hub image of tomcat, previously 'tomcat:7-jre8'
> but after that was updated to 7.0.90 I've pinned it back to
> 'tomcat:7.0.86-jre8' where I no longer seem to face the issue.
>
> I'm running a .war file of some open source software called DHIS2 (v2.27).
> When running 7.0.90, if I send requests of the following form:
>
> http://<host>/api/organisationUnits?fields=parent[id]
>
> I get the following error in the logs:
>
> Oct 29, 2018 5:04:01 PM org.apache.coyote.http11.AbstractHttp11Processor
> process
> INFO: Error parsing HTTP request header
> Note: further occurrences of HTTP header parsing errors will be logged at
> DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in the request
> target. The valid characters are defined in RFC 7230 and RFC 3986
> at
> org.apache.coyote.http11.InternalAprInputBuffer.parseRequestLine(InternalAprInputBuffer.java:240)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1049)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
> at
> org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2492)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
>
> If I URL encode the square brackets the request seems to be fine.

As expected. As per RFC 7230 and RFC 3986 both '[' and ']' must be
encoded if used in the path or query string in a URI.

Request line parsing (including URI validation) was made more spec
compliant as a result of CVE-2016-6816 to reduce the risk of similar
vulnerabilities.

You can relax the validation with relaxedPathChars and/or
relaxedQueryChars on the Connector but fixing whatever is generating the
invalid URIs is going to be a better long term solution.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Issue with square brackets [] in Tomcat 7.0.90

Jasper Timm
Thanks for the quick response Mark. That makes sense.

I'll let the DHIS2 devs know they should stop using square brackets.

Cheers,

- Jasper

On Tue, Oct 30, 2018 at 10:11 AM Mark Thomas <[hidden email]> wrote:

> On 30/10/18 09:53, Jasper Timm wrote:
> > Hi all,
> >
> > I'm facing an issue handling square brackets which seems to have been
> > introduced sometime between 7.0.87 and 7.0.90.
> >
> > I'm running from the docker hub image of tomcat, previously
> 'tomcat:7-jre8'
> > but after that was updated to 7.0.90 I've pinned it back to
> > 'tomcat:7.0.86-jre8' where I no longer seem to face the issue.
> >
> > I'm running a .war file of some open source software called DHIS2
> (v2.27).
> > When running 7.0.90, if I send requests of the following form:
> >
> > http://<host>/api/organisationUnits?fields=parent[id]
> >
> > I get the following error in the logs:
> >
> > Oct 29, 2018 5:04:01 PM org.apache.coyote.http11.AbstractHttp11Processor
> > process
> > INFO: Error parsing HTTP request header
> > Note: further occurrences of HTTP header parsing errors will be logged at
> > DEBUG level.
> > java.lang.IllegalArgumentException: Invalid character found in the
> request
> > target. The valid characters are defined in RFC 7230 and RFC 3986
> > at
> >
> org.apache.coyote.http11.InternalAprInputBuffer.parseRequestLine(InternalAprInputBuffer.java:240)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1049)
> > at
> >
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
> > at
> > org.apache.tomcat.util.net
> .AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2492)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> > at
> >
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> > at java.lang.Thread.run(Thread.java:748)
> >
> > If I URL encode the square brackets the request seems to be fine.
>
> As expected. As per RFC 7230 and RFC 3986 both '[' and ']' must be
> encoded if used in the path or query string in a URI.
>
> Request line parsing (including URI validation) was made more spec
> compliant as a result of CVE-2016-6816 to reduce the risk of similar
> vulnerabilities.
>
> You can relax the validation with relaxedPathChars and/or
> relaxedQueryChars on the Connector but fixing whatever is generating the
> invalid URIs is going to be a better long term solution.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
> --

Jasper Timm

Lead Software Developer

<http://www.ehealthafrica.org/>

eHealth Africa
4A Renner Drive
Off Wilkinson Road (behind Monoprix Supermarket)
Freetown, Sierra Leone

mobile +232 99891119

--

<https://web.facebook.com/EHealthAfrica>
<https://twitter.com/eHealth_africa>
<https://www.linkedin.com/company/1449060/>
<https://www.instagram.com/ehealthafrica/>
<https://www.youtube.com/channel/UCcgM_HhTcg5M9Ji3Of6QmUg>