Make Tomcat's Context attributes relaxedPathChars and relaxedQueryChars configurable in application.properties
Fixes gh-17509
Comment From: philwebb
I wonder if we should consider enabling both of these my default? @markt-asf would there be any significant downsides? Did you consider changing the Tomcat defaults ever?
Comment From: vpavic
+1 for exposing these as configuration properties, but I wouldn't like to see Spring Boot configure non spec compliant behavior by default.
Comment From: markt-asf
Tomcat tightened up parsing to address security issues (request injection and such). There are some characters that are probably safe but my strong preference is that Tomcat is spec compliant by default.
Comment From: dirkdeyne
only " < > [ \ ] ^ ` { | } characters are allowed by tomcat, others are ignored
ref doc
The HTTP/1.1 specification requires that certain characters are %nn encoded when used in URI query strings. Unfortunately, many user agents including all the major browsers are not compliant with this specification and use these characters in unencoded form. To prevent Tomcat rejecting such requests, this attribute may be used to specify the additional characters to allow. If not specified, no additional characters will be allowed. The value may be any combination of the following characters: " < > [ \ ] ^ ` { | } . Any other characters present in the value will be ignored.
Comment From: philwebb
Thanks for the input everyone. We're going to add the properties but keep the defaults as they are.
Comment From: snicoll
@dirkdeyne thank you for making your first contribution to Spring Boot. I've polished your proposal by using a list of characters rather than the raw string that Tomcat uses. This is also a chance for us to provide dedicated metadata for valid values,
Comment From: qrqhuang
How can i configured this properties with yml.
server:
tomcat:
relaxed-query-chars: []
If i do like this, [] will be translate as array mark.
So I have to with
relaxed-query-chars:
- '['
- ']'
or
relaxed-query-chars: ['[', ']']
Comment From: philwebb
@qrqhuang You can also do the following:
server:
tomcat:
relaxed-query-chars: "[,]"
Comment From: et00448
Hello, this new tomcat relaxed-query-chars works perfectly with spring boot 2.2.5 I have no more http 400 error produce by coyotte TOMCAT connector. Nevertheless, I m facing an URLmalformedException in ServletHttpHandlerAdapter while receiving non ULencode "|" charcater. How can I bypass this exception in ServletHttpHandlerAdapter "Failed to get request URL: Illegal character in query at index ..." Thank's
Comment From: wilkinsona
@et00448 ServletHttpHandlerAdapter is part of Spring Framework. I don't believe it provides a mechanism for dealing with characters that are illegal in a URI. If you think that's something that should be possible, please raise it with the Spring Framework team.