Coding forward and backward slashes in tomcat 7?

Question

I try send request like http://site.com/abc%2Fabc and it doesn't work (send status 400). How I understand tomcat doesn't accept encoded path separators for security reasons, but I don't know how to enable this coding. (I have found only option AllowEncodedSlashes for apache http server). Can you help me?

UPDATE

I fixed this trouble using tiny hack - before render replace all '/' characters on '|' and after reverse this characters on '/'

I had the same problem but I could not find this question on SO because I did not realize the problem was related to encoded slash. I saw a 400 status error with Tomcat 7 with an empty body response / without response, so that was what I looked for in google. I hope adding this comment with keywords may help people with the same problem find this question :) — magnum87, Jul 18 '16 at 14:01

score 25 · Accepted Answer · answered Jan 30 '13 at 09:39

25

There is a Tomcat option to allow encoded path separators.

Set the CATALINA_OPTS env var to

-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

This will allow encoded slashes.

answered Jan 30 '13 at 09:39

Justin Emery

1,644
18
25

4

Just a note, this feature is disabled by default because it is a security risk: see http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-tomcat-7 and http://en.wikipedia.org/wiki/Directory_traversal_attack – mlathe Mar 05 '14 at 17:19
3

Note that to fix forward slashes you need org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH. Such a shame tomcat decide to break HTTP , rather than fix the underlying security problem (%2F and %5C are perfectly valid in URLs) – dan carter Apr 24 '15 at 04:18
1

note also that Tomcat will convert encoded backslash in a path into a forward slash – dan carter Apr 28 '15 at 02:15
Hi, please where can I modify these parameters? THANKS – Aziz Nov 23 '16 at 19:24
@JohnnySparow In general the method for setting environment variables will depend on your platform, but the [answer by user2335780](http://stackoverflow.com/a/16579783/174979) should work across platforms in this specific case. – Justin Emery Nov 24 '16 at 16:50

score 7 · Answer 2 · answered May 16 '13 at 05:44

7

We can also add this entry "org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true" in catalina.properties to allow encoded slash in url.

And to allow backslash you have to set different properties. Refer this url for different configuration.

answered May 16 '13 at 05:44

user2335780

529
5
2

score 1 · Answer 3 · answered May 29 '18 at 14:55

1

To make this workable for my by editing $CATALINA_HOME\conf\server.xml

Old Value: <Connector ... protocol="HTTP/1.1"... />

New Value: <Connector ... protocol="HTTP/1.1"... relaxedQueryChars='\ { } |' />

I am using Tomcat 7.0.88

answered May 29 '18 at 14:55

Latif

181
1
3

You sir deserve more upvotes. This is the only thing that worked for me. Thank you very much. – Milan Todorovic Feb 05 '21 at 14:50

score 0 · Answer 4 · answered Mar 15 '12 at 12:28

0

Have you tried putting URIEncoding="UTF-8" in your <Connector in the server.xml?

answered Mar 15 '12 at 12:28

mindas

26,463
15
97
154

2

Yes. I put URIEncoding="UTF-8" in server.xml. It's not work only with %2F.. for example %3A - ":" work. – pushistic Mar 15 '12 at 12:31

Coding forward and backward slashes in tomcat 7?

4 Answers4

Linked