[undertow-dev] [1.4.23.Final] Invalid character | in request-target

Brad Wood bdw429s at gmail.com
Thu Jul 12 12:15:38 EDT 2018 

I just had a user who updated to the latest version of my Undertow-powered
server report an error when his query string contained unencoded pipe
characters.  (error at the bottom) This didn't happen in older versions but
appears to be a valid check.  In this case, my user has no control over the
URL that's being sent to his site as it comes from a Microsoft Office365
app that opens a popup window to one of his URLs for authentication.  It
looks like this:

https://127.0.0.1:1443/index.cfm/login:main/index?_host_Info=outlook|web|16.01|en-us|89b212f8-4618-9ca2-bcf7-f1e8cb0969be|isDialog

I have a feeling this is "working as designed" but is there a way to relax
the validation here as he has no control over this URL and it is a hard
stop for him?

[DEBUG] io.undertow.request.io: UT005014: Failed to parse request
io.undertow.util.BadRequestException: UT000165: Invalid character | in
request-target
        at
io.undertow.server.protocol.http.HttpRequestParser.handleQueryParameters(HttpRequestParser.java:523)
        at
io.undertow.server.protocol.http.HttpRequestParser.beginQueryParameters(HttpRequestParser.java:486)
        at
io.undertow.server.protocol.http.HttpRequestParser.handlePath(HttpRequestParser.java:410)
        at
io.undertow.server.protocol.http.HttpRequestParser.handle(HttpRequestParser.java:248)
        at
io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:187)
        at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:136)
        at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:151)
        at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:92)
        at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:51)
        at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at
org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
        at
org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
        at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at
org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:129)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:582)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:466)

Thanks!

~Brad

*Developer Advocate*
*Ortus Solutions, Corp *

E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20180712/9ecdac78/attachment-0001.html

More information about the undertow-dev mailing list