Skip to content

Provide configuration properties for configuring Tomcat's relaxed path and query chars #17510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Provide configuration properties for configuring Tomcat's relaxed path and query chars #17510

wants to merge 2 commits into from

Conversation

dirkdeyne
Copy link
Contributor

Make Tomcat's Context attributes relaxedPathChars and relaxedQueryChars configurable in application.properties

Fixes gh-17509

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 14, 2019
@wilkinsona wilkinsona mentioned this pull request Jul 14, 2019
Closed
@wilkinsona wilkinsona changed the title Avoid Tomcat crashes when requests containing certain (unencoded) characters. Provide configuration properties for configuring Tomcat's relaxed path and query chars Jul 14, 2019
@philwebb
Copy link
Member

I wonder if we should consider enabling both of these my default? @markt-asf would there be any significant downsides? Did you consider changing the Tomcat defaults ever?

@philwebb philwebb added the for: team-attention An issue we'd like other members of the team to review label Jul 14, 2019
@vpavic
Copy link
Contributor

vpavic commented Jul 14, 2019

+1 for exposing these as configuration properties, but I wouldn't like to see Spring Boot configure non spec compliant behavior by default.

@markt-asf
Copy link

Tomcat tightened up parsing to address security issues (request injection and such). There are some characters that are probably safe but my strong preference is that Tomcat is spec compliant by default.

@dirkdeyne
Copy link
Contributor Author

only " < > [ \ ] ^ ` { | } characters are allowed by tomcat, others are ignored

ref doc

The HTTP/1.1 specification requires that certain characters are %nn encoded when used in URI query strings. Unfortunately, many user agents including all the major browsers are not compliant with this specification and use these characters in unencoded form. To prevent Tomcat rejecting such requests, this attribute may be used to specify the additional characters to allow. If not specified, no additional characters will be allowed. The value may be any combination of the following characters: " < > [ \ ] ^ ` { | } . Any other characters present in the value will be ignored.

@philwebb
Copy link
Member

Thanks for the input everyone. We're going to add the properties but keep the defaults as they are.

@philwebb philwebb added type: enhancement A general enhancement and removed for: team-attention An issue we'd like other members of the team to review status: waiting-for-triage An issue we've not yet triaged labels Jul 17, 2019
@philwebb philwebb added this to the 2.2.x milestone Jul 17, 2019
@snicoll snicoll self-assigned this Jul 18, 2019
@snicoll snicoll modified the milestones: 2.2.x, 2.2.0.M5 Jul 18, 2019
snicoll pushed a commit that referenced this pull request Jul 18, 2019
@dirkdeyne @snicoll
Add support for configuring Tomcat's relaxed path and query chars
1fee797 
See gh-17510
snicoll added a commit that referenced this pull request Jul 18, 2019
@snicoll
Polish "Add support for configuring Tomcat's relaxed path and query c…
dd2f20f 
…hars"

See gh-17510
@snicoll snicoll closed this in 572a436 Jul 18, 2019
@snicoll
Copy link
Member

snicoll commented Jul 18, 2019

@dirkdeyne thank you for making your first contribution to Spring Boot. I've polished your proposal by using a list of characters rather than the raw string that Tomcat uses. This is also a chance for us to provide dedicated metadata for valid values,

image

@qrqhuang
Copy link

qrqhuang commented May 21, 2020
edited
Loading

How can i configured this properties with yml.

server:
  tomcat:
    relaxed-query-chars: []

If i do like this, [] will be translate as array mark.

So I have to with

    relaxed-query-chars:
      - '['
      - ']'

or

relaxed-query-chars: ['[', ']']

@philwebb
Copy link
Member

@qrqhuang You can also do the following:

server:
  tomcat:
    relaxed-query-chars: "[,]"

@et00448
Copy link

et00448 commented Jun 18, 2020

Hello, this new tomcat relaxed-query-chars works perfectly with spring boot 2.2.5
I have no more http 400 error produce by coyotte TOMCAT connector.
Nevertheless, I m facing an URLmalformedException in ServletHttpHandlerAdapter while receiving non ULencode "|" charcater.
How can I bypass this exception in ServletHttpHandlerAdapter "Failed to get request URL: Illegal character in query at index ..."
Thank's

@wilkinsona
Copy link
Member

@et00448 ServletHttpHandlerAdapter is part of Spring Framework. I don't believe it provides a mechanism for dealing with characters that are illegal in a URI. If you think that's something that should be possible, please raise it with the Spring Framework team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@snicoll snicoll

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
2.2.0.M5
Development

Successfully merging this pull request may close these issues.

Tomcat crashes when requests containing certain (unencoded) characters.
9 participants
@dirkdeyne @philwebb @vpavic @markt-asf @snicoll @qrqhuang @et00448 @wilkinsona @spring-projects-issues