[乐意黎转载]Tomcat 8.0.39 And Tomcat 8.5.8 Fails Handling Requsest

Hi,
we are using tomcat 8.0.30 without problems.
I have tested upgrade to 8.0.38 today and I got this error
More env. details JDK 8, tested on both Linux and Windows using different
JDK 8 updates (71, 111).
15-Nov-2016 17:14:51.189 INFO [http-nio-8080-exec-2]
org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP
request header
Note: further occurrences of HTTP header parsing errors will be logged at
DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request
target. The valid characters are defined in RFC 7230 and RFC 3986
at
org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:283)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1017)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
The parameter in the request is this
/list?criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
Looks like this commit caused the exception
https://github.com/apache/tomcat80/commit/779d5d34e68e50d2f721897050b147106992f566
The commit message says:
Add additional checks for valid characters to the HTTP request line
parsing so invalid request lines are rejected sooner.
We don't get any error in 8.0.30 using same request.
The state in 8.0.30 was bug or 8.0.38 should process parameter
criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
?
Thanks.
Regards,
Zdenek Henek
==================================================================
<snip/>
Neither '{' nor '}' are permitted characters in a URI and that includes
the query string.
Technically, 8.0.30 should have rejected the request but didn't.
As per the commit message, Tomcat has tightened up validation of
incoming HTTP requests to reject any that are not specification compliant.
For the query string, the relevant extracts from RFC 3986 are:
query = *( pchar / "/" / "?" )
pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
Hence, '{' and '}' are rejected.
Mark
======================================================
Mark,
Based on your explanation above, shouldn't the following query parameter
be rejected?
http://somehost/someurl?plist=tagA=valueA|tagB=valueB|tagC=valueC
where tagA, tagB, tagC, valueA, valueB, valueC are all ALPHA or DIGIT.
I didn't see "|" listed as acceptable anywhere in RFC 3986.
However, above URL works in Tomcat 8.0.39.
I ask this because a developer has used the pipe symbol to separate
components. It plays havoc with mod_security rules, among other things.
. . . a bit puzzled
/mde/
======================================================
I agree, such a request should be rejected.
I've just tested 9.0.x and 8.0.x and both rejected it. I don't think
there have been any changes since those releases. Are you sure that:
a) you are using 8.0.39
b) the client isn't encoding the '|' before it is sent to Tomcat
Me too. Any light you can shed would be helpful.
Mark
======================================================
Mark,
I did a Wireshark capture. The client is not encoding '|' before
sending. The '=' is not being encoded either.
I figured it out. I have Apache 2.2 (on Linux) or Apache 2.4 (on
Windows) in front of Tomcat.
I connect the two using mod_jk. When going through the following:
browser --> apache httpd (2.2, 2.4) -->(AJP) Tomcat (8.0.39, 8.5.8)
the request works ('|', '=', and other hideousness).
When going through the following:
browser --> Tomcat (8.0.39, 8.5.8)
the request fails with the error message as posted by the original author.
I'll go through the Apache HTTPD and mod_jk configurations carefully to
see what's going on.
However, both are pretty stock configurations.
. . . thanks for your patience
/mde/ The AJP checks are much less rigorous since it is assumed that the
front-end server will validate the data before forwarding. It looks like
httpd isn't as strict as Tomcat in this case.
Mark Mark,
Also, the default for mod_jk JkOptions is:
JkOptions +ForwardURIProxy
which according to the documentation does a partial encoding before
sending the request off to Tomcat.
So in summary:
1. Apache HTTPD 2.2 and Apache HTTPD 2.4 are lenient when parsing URIs
2. Default JkOptions partially encode the request before sending
3. The resulting encoded URI is happily parsed by Tomcat
Removing Apache HTTPD 2.2 / Apache HTTPD 2.4 with the default mod_jk
configuration (JkOptions) and the URI will no longer work with Tomcat 8.x.
Time to get the developers to fix their code.
. . . just my two cents
/mde/

原文地址:https://qnalist.com/questions/7878193/tomcat-8-0-39-and-tomcat-8-5-8-fails-handling-requsest

本文地址: http://blog.csdn.net/aerchi/article/details/53483526
发布了430 篇原创文章 · 获赞 415 · 访问量 925万+
展开阅读全文

超链接传递的参数为中文编码问题

04-19

``` <a href="userUpdate.do?uname=${user.UNAME }&upass=${user.UPASS }" id="updateBtn">编辑</a>| ``` 点击编辑这个超链接按钮,后台报错,报错信息如下: Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986 at org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:189) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1028) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:662) 浏览器页面报错如下: 法找到该网页 HTTP 400 最可能的原因是: •在地址中可能存在键入错误。 •当你点击某个链接时,它可能已过期。 你可以尝试以下操作: 重新键入地址。 返回到上一页。 转到 并查找你想要的信息。 详细信息 我用的是tomcat7最新版本,看网上有网友说是因为tomcat7版本高, 不允许超链接请求参数为中文等,但是我用注解编程必须基于tomcat7版本的,有没有其他方案可以解决这个问题,在网上搜了一些,发现都没有尝试成功 问答

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 编程工作室 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览