Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

HttpUrl.Builder.addQueryParameter is not escaping curly braces which causes Tomcat 8 to reject request

See original GitHub issue

OkHttp does not properly escape URL query parameters that contain curly braces.

Tomcat 7.0.73+, 8.0.39+, and 8.5.7+ will reject these requests with the following error:

Mar 20, 2017 2:47:59 PM org.apache.coyote.http11.Http11Processor service
INFO: Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
        at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:471)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

These are the characters that Tomcat will now reject as part of the URI request line (see org.apache.tomcat.util.http.parser.HttpParser):

            if (IS_CONTROL[i] || i > 127 ||
                    i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' ||
                    i == '^' || i == '`'  || i == '{' || i == '|' || i == '}') {
                IS_NOT_REQUEST_TARGET[i] = true;  // reject the character!

To solve issue, the characters included in HttpUrl.QUERY_COMPONENT_ENCODE_SET may need to be changed. Here is current definition:

static final String QUERY_COMPONENT_ENCODE_SET = " \"'<>#&=";

These

Issue Analytics

State:
Created 7 years ago
Comments:21 (11 by maintainers)

Top GitHub Comments

1reaction

arakeliancommented, Mar 21, 2017

Thanks for the link. I hadn’t seen that yet.

I wouldn’t say that they ‘fixed it’, as the issue that I experienced would continue to occur unless the System property tomcat.util.http.parser.HttpParser.requestTargetAllow is set.

Not that HttpClient’s URLBuilder is the gold-standard (or I wouldn’t be using OkHttp3), but I’d respectfully suggest that modifying HttpUrl builder to escape {, }, and | would be a good thing to do 😃

0reactions

arakeliancommented, Feb 21, 2018

@swankjesse Thank you for the changes.

Top Results From Across the Web

Tomcat 8 is not able to handle get request with '|' in query ...

Tomcat 8.5.3: Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400...

HttpUrl$Builder.addQueryParameter - Java - Tabnine

addQueryParameter ("token", accessToken) .build(); Request request = new Request.Builder() .url(url) .build(); Call call = httpClient.newCall(request); try ...

RFC 7230/3986 url requirement that prevents unencoded ...

In my case I had to whitelist curly braces and pipe. ... head in the same direction as Tomcat over time and start...

Seam Reference Guide JBoss Enterprise Application Platform 5

Seam provides a number of example applications which demonstrate how to use a variety of Seam's features. This tutorial will guide you through...

POCO C++ Libraries Release Notes

The HTTP server framework now actively prevents sending a message body in the response to a HEAD request, or in case of a...