urltomcat9invalid-characters

Can Tomcat 9 Remove Invalid Characters on the URL


I noticed that if a user purposefully enters an invalid URL character such as "[" or "]" on the URL an exception is thrown by Tomcat. I'm using JSP and the page code is never reached to allow cleaning or encoding of the parameter. Is it possible for Tomcat to automatically encode or remove non-valid characters from the URL?

Example:  https://someserver.com?identNum=1234567[foobar]

HTTP Status 400 – Bad Request

Type Exception Report

Message Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

Exception

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
    org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:467)
    org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:294)
    org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    java.base/java.lang.Thread.run(Thread.java:834)

Note The full stack trace of the root cause is available in the server logs.

Solution

  • Sorry, no. Invalid requests are rejected.

    You can optionally allow those invalid characters but that is not recommended as it is not specification compliant behaviour.