11:15 a.m.
I just had a user who updated to the latest version of my Undertow-powered
server report an error when his query string contained unencoded pipe
characters. (error at the bottom) This didn't happen in older versions but
appears to be a valid check. In this case, my user has no control over the
URL that's being sent to his site as it comes from a Microsoft Office365
app that opens a popup window to one of his URLs for authentication. It
looks like this:
https://127.0.0.1:1443/index.cfm/login:main/index?_host_Info=outlook|web|...
I have a feeling this is "working as designed" but is there a way to relax
the validation here as he has no control over this URL and it is a hard
stop for him?
[DEBUG] io.undertow.request.io: UT005014: Failed to parse request
io.undertow.util.BadRequestException: UT000165: Invalid character | in
request-target
at
io.undertow.server.protocol.http.HttpRequestParser.handleQueryParameters(HttpRequestParser.java:523)
at
io.undertow.server.protocol.http.HttpRequestParser.beginQueryParameters(HttpRequestParser.java:486)
at
io.undertow.server.protocol.http.HttpRequestParser.handlePath(HttpRequestParser.java:410)
at
io.undertow.server.protocol.http.HttpRequestParser.handle(HttpRequestParser.java:248)
at
io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:187)
at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:136)
at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:151)
at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:92)
at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:51)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
at
org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:129)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:582)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:466)
Thanks!
~Brad
*Developer Advocate*
*Ortus Solutions, Corp *
E-mail: brad(a)coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
6:23 p.m.
The io.undertow.UndertowOptions#ALLOW_UNESCAPED_CHARACTERS_IN_URL option
allows you to control this.
Stuart
On Fri, Jul 13, 2018 at 2:23 AM Brad Wood <bdw429s(a)gmail.com> wrote:
I just had a user who updated to the latest version of my
Undertow-powered
server report an error when his query string contained unencoded pipe
characters. (error at the bottom) This didn't happen in older versions but
appears to be a valid check. In this case, my user has no control over the
URL that's being sent to his site as it comes from a Microsoft Office365
app that opens a popup window to one of his URLs for authentication. It
looks like this:
https://127.0.0.1:1443/index.cfm/login:main/index?_host_Info=outlook|web|...
I have a feeling this is "working as designed" but is there a way to relax
the validation here as he has no control over this URL and it is a hard
stop for him?
[DEBUG] io.undertow.request.io: UT005014: Failed to parse request
io.undertow.util.BadRequestException: UT000165: Invalid character | in
request-target
at
io.undertow.server.protocol.http.HttpRequestParser.handleQueryParameters(HttpRequestParser.java:523)
at
io.undertow.server.protocol.http.HttpRequestParser.beginQueryParameters(HttpRequestParser.java:486)
at
io.undertow.server.protocol.http.HttpRequestParser.handlePath(HttpRequestParser.java:410)
at
io.undertow.server.protocol.http.HttpRequestParser.handle(HttpRequestParser.java:248)
at
io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:187)
at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:136)
at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:151)
at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:92)
at
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:51)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
at
org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:129)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:582)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:466)
Thanks!
~Brad
*Developer Advocate*
*Ortus Solutions, Corp *
E-mail: brad(a)coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
7:07 p.m.
Cool, thanks. I actually found that online after posting but for the life
of me couldn't figure out how to reply to my own topic on the mailing list
since you don't get Emailed for your own post and the web site doesn't seem
to have posting capabilities.
On a related note, hjave you considered switching to Google Groups or
something? The JBoss lists are seriously outdated. Like in an
embarrassing way :)
Thanks!
~Brad
*Developer Advocate*
*Ortus Solutions, Corp *
E-mail: brad(a)coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
On Thu, Jul 12, 2018 at 6:24 PM Stuart Douglas <sdouglas(a)redhat.com> wrote:
The io.undertow.UndertowOptions#ALLOW_UNESCAPED_CHARACTERS_IN_URL
option
allows you to control this.
Stuart
On Fri, Jul 13, 2018 at 2:23 AM Brad Wood <bdw429s(a)gmail.com> wrote:
> I just had a user who updated to the latest version of my
> Undertow-powered server report an error when his query string contained
> unencoded pipe characters. (error at the bottom) This didn't happen in
> older versions but appears to be a valid check. In this case, my user has
> no control over the URL that's being sent to his site as it comes from a
> Microsoft Office365 app that opens a popup window to one of his URLs for
> authentication. It looks like this:
>
>
>
https://127.0.0.1:1443/index.cfm/login:main/index?_host_Info=outlook|web|...
>
> I have a feeling this is "working as designed" but is there a way to
> relax the validation here as he has no control over this URL and it is a
> hard stop for him?
>
> [DEBUG] io.undertow.request.io: UT005014: Failed to parse request
> io.undertow.util.BadRequestException: UT000165: Invalid character | in
> request-target
> at
>
io.undertow.server.protocol.http.HttpRequestParser.handleQueryParameters(HttpRequestParser.java:523)
> at
>
io.undertow.server.protocol.http.HttpRequestParser.beginQueryParameters(HttpRequestParser.java:486)
> at
>
io.undertow.server.protocol.http.HttpRequestParser.handlePath(HttpRequestParser.java:410)
> at
>
io.undertow.server.protocol.http.HttpRequestParser.handle(HttpRequestParser.java:248)
> at
>
io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:187)
> at
>
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:136)
> at
>
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:151)
> at
>
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:92)
> at
>
io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:51)
> at
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at
> org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
> at
> org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
> at
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at
> org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:129)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:582)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:466)
>
> Thanks!
>
> ~Brad
>
> *Developer Advocate*
> *Ortus Solutions, Corp *
>
> E-mail: brad(a)coldbox.org
> ColdBox Platform: http://www.coldbox.org
> Blog: http://www.codersrevolution.com
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
2359
days inactive
2360
days old
2 comments
2 participants
participants (2)
-
Brad Wood -
Stuart Douglas