How to Allow ^ character in URLs for tomcat 8.5

Question

I have a request URL of below format

http://hostname:port/path&param1={"vars":[{"a":"val1","b":"^"},{"c":"val2","d":"^"}]}&param2=Value3|95|3%20-%206%20Months

I changed catalina.properties as per this stackoverflow question .

But as per tomcat documentation tomcat.util.http.parser.HttpParser.requestTargetAllow property is deprecated and relaxedPathChars and relaxedQueryChars attributes are to be used with Connector tag instead.

However, when i change the xml file to below

 <Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443" relaxedQueryChars="^" relaxedPathChars="^"/>

I still get a 400 bad request for the character ^

I am not sure if this is the correct configuration.

score 44 · Accepted Answer · edited Jun 22 '23 at 19:22

Ideally you should always URL-encode your query parameters before sending your request to the server. Read: https://www.talisman.org/~erlkonig/misc/lunatech%5Ewhat-every-webdev-must-know-about-url-encoding/

If you want to go down the relaxedQueryChars route, note that the following chars from your query are also in the set that you ought to add to the exception: " { } [ ] ^ |

Try this in your server.xml:

<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443" relaxedQueryChars='^{}[]|"' />

More insight into relaxedQueryChars/relaxedPathChars on the bug ticket 62273. The change was added to all branches of Tomat:

9.0.8
8.5.31
8.0.52
7.0.87

I don't think you need the relaxedPathChars attribute at all (this refers to characters on the URL path). However, the Tomcat team's test results seem to suggest that the following could be used for maximum backward-compatibility:

relaxedPathChars='[]|' relaxedQueryChars='[]|{}^\`"<>'

nb/ the first arg to your query should be demarcated by ? not &

http://hostname:port/path?param1=...&param2=...&param3=...

Thanks for the answer. I had figured it out though that the relaxedQueryChars is supported in tomcat 8.5.31 in 8.5.x line. — Sachin Kumar, May 17 '18 at 04:57

score 6 · Answer 2 · edited Dec 22 '20 at 13:16

6

It is required to use unicode instead of the literal < or > characters. Here is the actual relaxedQueryChars value I have in server.xml:

relaxedQueryChars="&#x5B;&#x5D;&#x7C;&#x7B;&#x7D;&#x5E;&#x5C;&#x60;&#x22;&#x3C;&#x3E;"
&#x5B; -> [
&#x5D; -> ]
&#x7C; -> |
&#x7B; -> {
&#x7D; -> }
&#x5E; -> ^
&#x5C; -> \
&#x60; -> `
&#x22; -> "
&#x3C; -> <
&#x3E; -> >

edited Dec 22 '20 at 13:16

Tomer Shetah

8,413
7
27
35

answered Dec 22 '20 at 10:51

Jaspal Singh

61
1
1

this will work only if the server.xml is being edited by hand. Any attempt to read & write this file will corrupt the file. – user3911119 Jun 29 '21 at 10:39

How to Allow ^ character in URLs for tomcat 8.5

2 Answers2

Linked