Closed Bug 1451347 Opened 6 years ago Closed 6 years ago

|, {, } are not encoded as should be in RFC 7230 and RFC 3986

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
59 Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: psuwala, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce:

Visiting any page on newer Tomcat 9.0.* and >8.5.12 using '{', '}' or '|' in url will make request rejected.


Actual results:

This will happen on server:

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
	at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:476)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

As characters are not escaped, and page will be displayed with 400.


Expected results:

Page should be displayed.
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
Can you please provide the URL you are having issues with?
Flags: needinfo?(psuwala)
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Hello,

This error is concerned with this: https://bz.apache.org/bugzilla/show_bug.cgi?id=60594.
Newest browser should already escape '{|}'.

Examples of urls:
http://my.com?filter={"search":"isvalid"}
http://localhost:8090/jira/browse/SSP-15?jql=%20text%20=%20{ksi|delta}

It is possible in 8.5.* tomcat to allow '{|}' however in 9.0.* it is not.
Flags: needinfo?(psuwala)
Per https://url.spec.whatwg.org/#query-state
{|} do not need to be encoded in the query

Firefox exhibits the same behaviour as other browsers.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.