Tomcat 9 可以删除 URL 上的无效字符吗

问题描述 投票:0回答:2

我注意到,如果用户故意在 URL 上输入无效的 URL 字符,例如“[”或“]”,Tomcat 会抛出异常。 我正在使用 JSP,但从未达到页面代码以允许对参数进行清理或编码。 Tomcat 是否可以自动编码或删除 URL 中的无效字符?

Example:  https://someserver.com?identNum=1234567[foobar]

HTTP Status 400 – Bad Request

Type Exception Report

Message Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

Exception

java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
    org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:467)
    org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:294)
    org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    java.base/java.lang.Thread.run(Thread.java:834)

Note The full stack trace of the root cause is available in the server logs.
url tomcat9 invalid-characters
2个回答
1
投票

抱歉,没有。无效请求将被拒绝。

您可以选择允许这些无效字符,但不建议这样做,因为它不符合规范。

0
投票

对于 spring 1.x,您可以像这样更改 tomcat 配置

@Configuration
public class TomcatConfig {

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
    return container -> {
        if (container instanceof TomcatEmbeddedServletContainerFactory) {
            TomcatEmbeddedServletContainerFactory tomcatFactory = (TomcatEmbeddedServletContainerFactory) container;
            tomcatFactory.addConnectorCustomizers(connector -> {
                String allowedChars = "<>[]^`{}|";
                connector.setProperty("relaxedQueryChars", allowedChars);
                connector.setProperty("relaxedPathChars", allowedChars);

            });

        }
    };
}
}

因此,特殊字符将被忽略

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.