[MGNLTOMCAT-6] Tomcat 9 less tolerant on special characters (compared to Tomcat 8) Created: 20/Jul/18  Updated: 05/May/21  Resolved: 13/Aug/18

Status: Closed
Project: Barebones Tomcat Bundle
Component/s: None
Affects Version/s: 1.0.1, 1.1.1
Fix Version/s: 1.0.3, 1.1.2

Type: Bug Priority: Major
Reporter: Christoph Meier Assignee: Hieu Nguyen Duc
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: 0d
Time Spent: 2.25d
Original Estimate: 1.5d

Issue Links:
Relates
relates to DOCU-2176 Document Tomcat relaxedQueryChars in ... Closed
causality
relation
is related to MGNLREST-305 Brackets In Filtered Rest Calls Do No... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Cloud deployments affected?
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes
Date of First Response:
Sprint: Saigon 151
Story Points: 2

 Description   

Summary
With Tomcat 9 (9.0.8 on barebone-1.1) - certain characters in an URI lead to an error; the same characters were accepted on our Tomcat-8 on barebone-1.0.
We should aim to allow the same characters as we did on Tomcat-8.

Error on Tomcat 9.0.8

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

(See gist for the complete stack trace)
This did not happen with the barebone-1.0.

Example

curl -g -G "<protocol>//<host>/<context>/.rest/delivery/pagesWithComponents/v1" --data-urlencode "title[like]=%Company%" -u superuser:superuser

Tomcat 9, the way we have configured it, fails on the chars [ ] but accepts |.
Tomcat 8 accepted both pipe and square brackets.

Further reading

 

Possible solution

Set relaxedQueryChars property on Connector.
Example:

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
redirectPort="8443" />

 See



 Comments   
Comment by Mikaël Geljić [ 20/Jul/18 ]

since MGNLTOMCAT-5, all branches were updated to tomcat 8.5.31; so in addition to 5.7, they are *all* likely affected, starting from:

  • 5.6.7+, from 8.5.5
  • 5.5.11+, from 8.5.5
  • 5.4.17+, from tomcat 7 (bea6a51)
Comment by Hieu Nguyen Duc [ 08/Aug/18 ]

Square brackets and pipe will be supported in Magnolia 6, 5.7.2, 5.6.9, 5.5.13.

Comment by Ngoc Nguyenthanh [ 15/Aug/18 ]

Tested on normal cases. Not enough knowledge on advanced security tests.

We should consider to keep Tomcat version of REST integration tests in sync with Tomcat bare-bone. If it's in sync, we will know the issue sooner.

I'll close the ticket because of the issue has been fixed.

Generated at Sun Feb 11 23:26:35 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.