2 Replies Latest reply on Feb 11, 2019 3:48 PM by Greg Jewell

    JBOSS 6.4.20 validates special characters like {}| and throws 400 bad request error

    Shrey Mathuria Newbie

      I already had a handled scenario in my application for URL tampering where I use a custom filter with regex pattern that request query strings with special characters like {}| etc and if there are any, than it returns a customized message of "Invalid Parameters" which was shown on the screen.

      This was working fine till we were using JBOSS 6.4.10 but after upgrading it to JBOSS 6.4.20, it is not even hitting the filter, somewhere JBOSS 6.4.20 has blacklisted those characters and throws 400 bad request error instead of executing filters.

      I found the reason for this behavior of Jboss from this thread "where to define ALLOW_UNESCAPED_CHARACTERS_IN_URL property to allow characters like {|}`^\><#" in URLs " and also applied its solution i.e. -Dtomcat.util.http.parser.HttpParser.requestTargetAllow='{|}`^\><#"' , but it did not worked here. My server was not even getting up after adding this command in .batch file or in as system property in standalone.xml

      Please provide few solutions or workarounds for this.

      PS - I wont be able to downgrade or upgrade Jboss version.