Tomcat seems to accept all characters in a URL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat seems to accept all characters in a URL

Boris Petrov
Hi all,

I'm trying to figure out why Tomcat 9.0.44 seems to accept this URL:

https://some-domain.com/[foo: "bar@asd/qwe%25rty'zzzqqq{rrr|ttt]

Even when I haven't specified any "relaxedPathChars" (or when I
explicitly set it to an empty string). Note all the special characters
in it, including the space.

This is not the case with the embedded Tomcat. There this doesn't work
(and a status code of 400 is returned as expected).

What am I missing? Can you tell me where to start with debugging this?

Regards,
Boris


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat seems to accept all characters in a URL

markt
On 23/03/2021 16:09, Boris Petrov wrote:

> Hi all,
>
> I'm trying to figure out why Tomcat 9.0.44 seems to accept this URL:
>
> https://some-domain.com/[foo: "bar@asd/qwe%25rty'zzzqqq{rrr|ttt]
>
> Even when I haven't specified any "relaxedPathChars" (or when I
> explicitly set it to an empty string). Note all the special characters
> in it, including the space.
>
> This is not the case with the embedded Tomcat. There this doesn't work
> (and a status code of 400 is returned as expected).
>
> What am I missing? Can you tell me where to start with debugging this?
Look at the access log. What URI did the client actually send?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat seems to accept all characters in a URL

Boris Petrov
On 3/23/21 6:25 PM, Mark Thomas wrote:

> On 23/03/2021 16:09, Boris Petrov wrote:
>> Hi all,
>>
>> I'm trying to figure out why Tomcat 9.0.44 seems to accept this URL:
>>
>> https://some-domain.com/[foo: "bar@asd/qwe%25rty'zzzqqq{rrr|ttt]
>>
>> Even when I haven't specified any "relaxedPathChars" (or when I
>> explicitly set it to an empty string). Note all the special
>> characters in it, including the space.
>>
>> This is not the case with the embedded Tomcat. There this doesn't
>> work (and a status code of 400 is returned as expected).
>>
>> What am I missing? Can you tell me where to start with debugging this?
> Look at the access log. What URI did the client actually send?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

Exactly the same as what I send:

[23/Mar/2021:18:00:51 +0200] "GET /[foo:
"bar@asd/qwe%25rty'zzzqqq{rrr|ttt] HTTP/2.0" 200 3440

I use this curl command:

curl -vvvkg "https://some-domain.com/[foo:
\"bar@asd/qwe%25rty'zzzqqq{rrr|ttt]"

Thanks!


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]