Tomcat 9.0.7 中不允许在 URL 中使用反斜杠
Tomcat not allowing backslash in URLs in 9.0.7
我看到 this patch Tomcat 向 9.0.8 添加了一个选项以允许 URL 中的 \
。我们有一些 PDF 启动到页面,例如 https://mrbusche.com/?FilePath=\manuals\Commerciallines\eManual\az.pdf
Tomcat 9.0.7 目前正在阻止 URL 由于规范 RFC 7230 和 RFC 3986。
异常
Type Exception Report
Message Invalid character found in the request target.
The valid characters are defined in RFC 7230 and RFC 3986
Description The server cannot or will not process the request due to something
that is perceived to be a client error (e.g., malformed request syntax
, invalid request message framing, or deceptive request routing).
Exception
java.lang.IllegalArgumentException: Invalid character found in the request target.
The valid characters are defined in RFC 7230 and RFC 3986
这在 Tomcat 9.0.7 上根本不可能吗?
这是我的 Tomcat
连接器
<Connector
port="4005"
connectionTimeout="20000"
maxHttpHeaderSize="8192"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150"
relaxedQueryChars="\"
SSLEnabled="true" >
</Connector>
假设您提到的问题 62273 准确地解决了您的问题并且需要解决它,您将必须升级到 Apache Tomcat 9.0.8。
Apache Tomcat 9 changelog 声明这是在 9.0.8 及更高版本上修补的。
希望对您有所帮助。
编辑:这也是 stated by @MarkThomas in a text comment on the bug discussion,在我看来,它是如此光荣,我想在这里完全引用它:
Adding extra code to Tomcat to account for specification
non-compliance of other components is the wrong solution. The right
solution is to open bugs against the non-compliant components.
Unfortunately, in this case, those other components are all the major
browser vendors and they do not accept that their behaviour is
incorrect. I have yet to see a convincing argument as to why the
browsers should not implement RFC 7230 and RFC 3986.
Working around the specification non-compliant browser behaviour just
encourages vendors to continue to ignore specifications and leads to
greater interoperability issues in the long term. However, the
alternative is to break lots of applications for lots of users.
Therefore, it is with regret that I have implemented this enhancement
for all currently supported Tomcat versions.
Fixed in:
- trunk for 9.0.8 onwards
- 8.5.x for 8.5.31 onwards
- 8.0.x for 8.0.52 onwards
- 7.0.x for 7.0.87 onwards
我看到 this patch Tomcat 向 9.0.8 添加了一个选项以允许 URL 中的 \
。我们有一些 PDF 启动到页面,例如 https://mrbusche.com/?FilePath=\manuals\Commerciallines\eManual\az.pdf
Tomcat 9.0.7 目前正在阻止 URL 由于规范 RFC 7230 和 RFC 3986。
异常
Type Exception Report
Message Invalid character found in the request target.
The valid characters are defined in RFC 7230 and RFC 3986
Description The server cannot or will not process the request due to something
that is perceived to be a client error (e.g., malformed request syntax
, invalid request message framing, or deceptive request routing).
Exception
java.lang.IllegalArgumentException: Invalid character found in the request target.
The valid characters are defined in RFC 7230 and RFC 3986
这在 Tomcat 9.0.7 上根本不可能吗?
这是我的 Tomcat
连接器<Connector
port="4005"
connectionTimeout="20000"
maxHttpHeaderSize="8192"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150"
relaxedQueryChars="\"
SSLEnabled="true" >
</Connector>
假设您提到的问题 62273 准确地解决了您的问题并且需要解决它,您将必须升级到 Apache Tomcat 9.0.8。
Apache Tomcat 9 changelog 声明这是在 9.0.8 及更高版本上修补的。 希望对您有所帮助。
编辑:这也是 stated by @MarkThomas in a text comment on the bug discussion,在我看来,它是如此光荣,我想在这里完全引用它:
Adding extra code to Tomcat to account for specification non-compliance of other components is the wrong solution. The right solution is to open bugs against the non-compliant components. Unfortunately, in this case, those other components are all the major browser vendors and they do not accept that their behaviour is incorrect. I have yet to see a convincing argument as to why the browsers should not implement RFC 7230 and RFC 3986.
Working around the specification non-compliant browser behaviour just encourages vendors to continue to ignore specifications and leads to greater interoperability issues in the long term. However, the alternative is to break lots of applications for lots of users. Therefore, it is with regret that I have implemented this enhancement for all currently supported Tomcat versions.
Fixed in:
- trunk for 9.0.8 onwards
- 8.5.x for 8.5.31 onwards
- 8.0.x for 8.0.52 onwards
- 7.0.x for 7.0.87 onwards