2 Replies Latest reply on Feb 11, 2019 3:48 PM by jewellgm

JBOSS 6.4.20 validates special characters like {}| and throws 400 bad request error

shreymath9999 Feb 11, 2019 5:20 AM

I already had a handled scenario in my application for URL tampering where I use a custom filter with regex pattern that request query strings with special characters like {}| etc and if there are any, than it returns a customized message of "Invalid Parameters" which was shown on the screen.

This was working fine till we were using JBOSS 6.4.10 but after upgrading it to JBOSS 6.4.20, it is not even hitting the filter, somewhere JBOSS 6.4.20 has blacklisted those characters and throws 400 bad request error instead of executing filters.

I found the reason for this behavior of Jboss from this thread "where to define ALLOW_UNESCAPED_CHARACTERS_IN_URL property to allow characters like {|}`^\><#" in URLs " and also applied its solution i.e. -Dtomcat.util.http.parser.HttpParser.requestTargetAllow='{|}`^\><#"' , but it did not worked here. My server was not even getting up after adding this command in .batch file or in as system property in standalone.xml

Please provide few solutions or workarounds for this.

PS - I wont be able to downgrade or upgrade Jboss version.

1. Re: JBOSS 6.4.20 validates special characters like {}| and throws 400 bad request error

jewellgm Feb 11, 2019 3:13 PM (in response to shreymath9999)

Can you post the script that you changed (eg, standalone.bat, or standalone.conf.bat), and how you modified standalone.xml? Also please post the actual error message you are receiving when you say that the server wasn't starting after you made the changes.
Actions
2. Re: JBOSS 6.4.20 validates special characters like {}| and throws 400 bad request error

jewellgm Feb 11, 2019 3:48 PM (in response to jewellgm)

I looked at the source code for the HttpParser¹ class in JBoss Web 7.5, which is what is documented to ship with JBoss EAP 6.4². The class has a static initializer that includes populating an array that indicates whether certain characters are acceptable in the URL. The array itself has a size of 128. In your system property, are you only specifying the characters listed above, or are you including some high ASCII characters as well? If you include anything higher than ASCII 127 ("delete"), you'll get an IndexOutOfBoundsException, which would prevent the class from loading.
¹HttpParser
²JBoss Enterprise Application Platform Component Details
Actions

Go to original post