Issue
I see that in this patch Tomcat added an option to 9.0.8 to allow \ in the URL. We have some PDFs that launch to a page such as https://mrbusche.com/?FilePath=\manuals\Commerciallines\eManual\az.pdf Tomcat 9.0.7 is currently blocking the URL due to spec RFC 7230 and RFC 3986.
Exception
Type Exception Report
Message Invalid character found in the request target.
The valid characters are defined in RFC 7230 and RFC 3986
Description The server cannot or will not process the request due to something
that is perceived to be a client error (e.g., malformed request syntax
, invalid request message framing, or deceptive request routing).
Exception
java.lang.IllegalArgumentException: Invalid character found in the request target.
The valid characters are defined in RFC 7230 and RFC 3986
Is this simply not possible on Tomcat 9.0.7?
Here's my connector for Tomcat
<Connector
port="4005"
connectionTimeout="20000"
maxHttpHeaderSize="8192"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150"
relaxedQueryChars="\"
SSLEnabled="true" >
</Connector>
Solution
Assuming issue 62273 mentioned by you prcisely addresses your problem and is required to solve it, you'll have to upgrade to Apache Tomcat 9.0.8.
The Apache Tomcat 9 changelog states this is patched on version 9.0.8 onwards. Hope that helps.
Edit: This is also stated by @MarkThomas in a text comment on the bug discussion which in my oppinion is such a honorable one that I'd like to fully cite it here:
Adding extra code to Tomcat to account for specification non-compliance of other components is the wrong solution. The right solution is to open bugs against the non-compliant components. Unfortunately, in this case, those other components are all the major browser vendors and they do not accept that their behaviour is incorrect. I have yet to see a convincing argument as to why the browsers should not implement RFC 7230 and RFC 3986.
Working around the specification non-compliant browser behaviour just encourages vendors to continue to ignore specifications and leads to greater interoperability issues in the long term. However, the alternative is to break lots of applications for lots of users. Therefore, it is with regret that I have implemented this enhancement for all currently supported Tomcat versions.
Fixed in:
- trunk for 9.0.8 onwards
- 8.5.x for 8.5.31 onwards
- 8.0.x for 8.0.52 onwards
- 7.0.x for 7.0.87 onwards
Answered By - Selaron
