0

I am using CentOS 7 and Tomcat 7.0.69 with java 1.8.0

The URIEncoding is turnet on, but when entering url with characters like åäö tomcat gives an error and the url is not encoded to %xx format

INFO: Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
    at org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:189)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:992)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

Config fiel server.xml contains this connector

<Connector address="xxx.xxx.xxx.xxx" port="8090" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" URIEncoding="UTF-8" />
user4845680
  • 128
  • 2
  • 12
  • Please look into the following link https://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid/13500078#13500078 – KayV May 24 '17 at 10:18
  • It turns out that Internet Explorer which we have used for testing does not support this feature with strict security settings. – user4845680 May 24 '17 at 10:39
  • Internet Explorer (including Edge) violates all kinds of rules when it comes to encoding. It makes running servers very difficult. You have two choices: tell your users to stop using MSIE/Edge until they become compliant, or reduce the security of your site by accepting sloppily-encoded data in HTTP request. Yes, your security is in fact lowered because there are a number of attack vectors available when encoding isn't strictly-enforced (which is why Tomcat and other vendors are tightening-up their strictness). – Christopher Schultz May 24 '17 at 14:44
  • Do you know which character is being rejected? Did you look at the RFCs to see whether or not you need to encode your non-ASCII character, and how? – Christopher Schultz May 24 '17 at 14:45

0 Answers0