随笔-Apache tomcat url包含|等特殊字符报错400的问题

开头分享环境信息,后面给予这个信息探讨

Using CATALINA_BASE:   /home/tomcat/tomcat
Using CATALINA_HOME:   /home/tomcat/tomcat
Using CATALINA_TMPDIR: /home/tomcat/tomcat/temp
Using JRE_HOME:        /usr/local/java/jdk1.8.0_111
Using CLASSPATH:       /home/tomcat/tomcat/bin/bootstrap.jar:/home/tomcat/tomcat/bin/tomcat-juli.jar
Server version: Apache Tomcat/8.5.9
Server built:   Dec 5 2016 20:18:12 UTC
Server number:  8.5.9.0
OS Name:        Linux
OS Version:     3.10.0-327.el7.x86_64
Architecture:   amd64
JVM Version:    1.8.0_111-b14
JVM Vendor:     Oracle Corporation

浏览器没有把|转义的话tomcat就会报400错误,此问题出现在8.0.37+,8.5.8+等新版本上面,官方说是把|也作为安全风险拦截了,所以算是一个重大变革吧,只能先用降级版本来解决此问题,或者程序自动加转义步骤。

2017-02-12 00:18:04 [WARN]-[Thread: Thread-14]-[com.jfinal.core.ActionHandler.handle()]:404 Action Not Found: /author/duzhi?tab=................windowswin.ini
12-Feb-2017 00:18:11.202 INFO [Thread-14] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
 java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
        at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:467)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:789)
        at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1694)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:905)
        at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$4.completed(Nio2Endpoint.java:623)
        at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$4.completed(Nio2Endpoint.java:601)
        at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
        at sun.nio.ch.Invoker$2.run(Invoker.java:218)
        at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

可以参考官方的git 提交说法:

https://github.com/apache/tomcat80/commit/779d5d34e68e50d2f721897050b147106992f566

另外看看解决方案吧,嘿嘿:

两个字,简单,转义:

>>encodeURI("http://www.duzhi.me?msg=name|id|")
>>http://www.duzhi.me?msg=name%7Cid%7C

或者:

>> encodeURIComponent("msg=name|id|")
>>  msg%3Dname%7Cid%7C

request数据:

user-agent-------Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
cf-ipcountry-------CN
x-forwarded-for-------58.211.2.78
cf-ray-------32f936c144b443a7-SZV
x-forwarded-proto-------http
cf-visitor-------{"scheme":"http"}
accept-------*/*
accept-language-------zh-CN,zh;q=0.8,en;q=0.6
cf-connecting-ip-------49.65.70.179
qvia-------3ad3024e1eee7e618a6dfe8ce7eb78736e815602
x-tencent-ua-------Qcloud
x-daa-tunnel-------hop_count=1
request params:
msg=name|id|-------

 

附一个关于安全字符的帖子,大家细细进去看看,基本都知道了:stackoverflow

除特别注明外,本站所有文章均为duzhi原创,转载请注明出处来自https://www.duzhi.me/article/1061.html

联系我们

******

在线咨询:点击这里给我发消息

邮件:ashang.peng#aliyun.com

QR code