[英]JBoss EAP 6.4.21 returns “400 Bad Request”
JBoss EAP 6.4.21 returns "400 Bad Request" response when sending unescaped characters (raw characters like | ) in the query string and path parameters of the request. 当在请求的查询字符串和路径参数中发送未转义的字符(如|的原始字符)时,JBoss EAP 6.4.21返回“ 400 Bad Request”响应。
Below setup has been tried in <system-properties>
in domain. 在域的<system-properties>
中尝试了以下设置。
<property name="-Dorg.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="-Dorg.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>
According to your JBoss version and the RedHat Official Site : 根据您的JBoss版本和RedHat官方网站 :
The fix for CVE-2016-6816 enforces rules more strictly when handling invalid characters in HTTP requests. 在处理HTTP请求中的无效字符时,CVE-2016-6816的修复程序将更严格地实施规则。
As a result any clients making requests containing any of the following ASCII characters will receive a 400: 结果,任何发出包含以下任何ASCII字符的请求的客户端都将收到400:
- Control characters (values 0x01 to 0x1f, and 0x7f) 控制字符(值0x01至0x1f和0x7f)
- 8-bit ASCII values (values > 0x7f) 8位ASCII值(值> 0x7f)
- Any of the following characters: ' ' (space character) '"' (double quote) '#' (hash or pound) '<' (less than) '>' (greater than) '\\' (back slash) '^' (circumflex) '`' (backquote) '{' (left squiggly bracket or brace) '|' 以下任何字符:''(空格字符)'“'(双引号)'#'(哈希或磅)'<'(小于)'>'(大于)'\\'(反斜杠)'^ '(抑扬音符)'`'(反引号)'{'(左方括号或括号)'|' (vertical bar) '}' (right squiggly bracket or brace) (竖线)“}”(弯曲的右括号或大括号)
For your jboss version you have to add this line in your startup script standalone.sh
对于您的jboss版本,您必须在启动脚本standalone.sh
添加此行。
JAVA_OPTS="$JAVA_OPTS -Dtomcat.util.http.parser.HttpParser.requestTargetAllow='{|}'"
Take in mind that if you upgrade to eap 7.1.1+, this solution won't work. 请注意,如果升级到eap 7.1.1+,此解决方案将无法使用。 Instead add this line to the standalone.conf
file: 而是将此行添加到standalone.conf
文件中:
JAVA_OPTS="$JAVA_OPTS -Dorg.wildfly.undertow.ALLOW_UNESCAPED_CHARACTERS_IN_URL=true"
I hope this can help you. 希望对您有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.