1 2 3 Previous Next 33 Replies Latest reply on Jan 29, 2014 9:04 AM by pirabug

More lenient HTTP parameter processing

hd0815 Jul 11, 2012 3:58 AM

Hello,

I have the following problem:

I'm sending an invalid request to a Servlet and while processing the request parameters the AS aborts with the following exception:

java.lang.IllegalStateException: Parameters processing failed.

at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:407) [jbossweb-7.0.13.Final.jar:]

at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:229) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.connector.Request.parseParameters(Request.java:2874) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.connector.Request.getParameterNames(Request.java:1333) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.connector.RequestFacade.getParameterNames(RequestFacade.java:379) [jbossweb-7.0.13.Final.jar:]

at foo.bar.MyServlet.doPost(MyServlet.java:80) [classes:]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]

at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]

at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_27]

My request looks like this:

http://mysite.com/myApp?paramA=A&paramB=B&=&=&paramC=C

This only happens when using JBoss 7.1.1.Final with InternetExplorer (only checked with v9.0 of IE).

I'm not quite sure why a wrong request is sent, but I found out that sending the same request to a JBoss 7.0.2.Final doesn't cause this exception.

I started a discussion at the JBoss AS 7 board (https://community.jboss.org/message/747210).

At this discussion a work around is mentioned. Also Vaibhav N mentioned that he faces this problem in JBoss-EAP-6.0.0.

jaikiran pai told me to try asking for a configuration or parameter which allows a more lenient way of processing the HTTP parameters. A request as mentioned above shouldn't force an HTTP 500 (if the exception isn't caught) since a parameter like '&=' is not considered to be harmful. It should be possible to just ignore such parameters rather than throwing an exception.

As I already said in the other discussion:

I know that this request is wrong and I know that the application acts right, but I think in this special case an error handling is possible as it should be possible (maybe via configuration) to ignore such parameters.

1. Re: More lenient HTTP parameter processing

vaibhavnaik Jul 12, 2012 3:03 AM (in response to hd0815)

Yes. I am also facing same issue.

My application throws an exception for IE browser only with "JBoss-as-7.1.1.Final" & "JBoss-eap-6.0.0(Evaluation version)", but it is working correctly for Firefox browser.
It works fine with "jboss-as-7.1.0.Final" in IE too. Is this an any regression in "JBoss-as-7.1.1"? As jaikiran pai told it's not a JBoss bug but I have created a bug just to track this issue(AS7-5143).
https://issues.jboss.org/browse/AS7-5143

thanks.
Actions
2. Re: More lenient HTTP parameter processing

jfclere Jul 12, 2012 3:07 AM (in response to hd0815)

The parser has been changed to fix AS7-3898. According to http://tools.ietf.org/html/rfc3986#section-3.4 the query string looks legal even it doesn't make sense.
Actions
3. Re: More lenient HTTP parameter processing

hd0815 Jul 12, 2012 3:31 AM (in response to jfclere)

The link doesn't work (at least for me), one should better take this one: http://datatracker.ietf.org/doc/rfc3986/?include_text=1 and navigate to 3.4

Does this mean that there is a chance to get this fixed?

As already mentioned this query is generated by IE. The same page with the same form and the same data in another browser sends a different query...
Actions
4. Re: More lenient HTTP parameter processing

jfclere Jul 13, 2012 7:18 AM (in response to hd0815)

that looks fixable please open a JIRA for it.
Actions
5. Re: More lenient HTTP parameter processing

hd0815 Jul 13, 2012 7:24 AM (in response to jfclere)

Isn't https://issues.jboss.org/browse/AS7-5143 enough or is it because it's in the wrong JIRA project?
I'm willing to file this but only if there is a need to create a new JIRA.
Actions
6. Re: More lenient HTTP parameter processing

jfclere Jul 13, 2012 7:37 AM (in response to hd0815)

then reopen AS7-5143 as it can be considered as a regression.
Actions
7. Re: More lenient HTTP parameter processing

jaikiran Jul 13, 2012 7:46 AM (in response to hd0815)

hd0815 wrote:

Isn't https://issues.jboss.org/browse/AS7-5143 enough or is it because it's in the wrong JIRA project?
I'm willing to file this but only if there is a need to create a new JIRA.
I've updated that JIRA to set the correct component and also add the forum discussion reference
Actions
8. Re: More lenient HTTP parameter processing

jfclere Jul 13, 2012 7:49 AM (in response to jaikiran)

Oops I would like to reopen AS7-3898 in fact or at least link it.
Actions
9. Re: More lenient HTTP parameter processing

davekago21 Jul 26, 2012 9:20 AM (in response to hd0815)

Not really a jboss issue but an app issue. Had the same problem and was happening only on IE9 (don't know about older IE version but I would presume same result). So question is, should jboss have a configuration to make the parameter processing more lenient or should IE intercept the parameters and strip out invalid parameters before transmitting the request. That is up for discussion.

Here is what our cause was:

The form in question had jquery validator attached to it. The jquery validator has a submitHandler that swallowed the form submit action and in turn issued a form.submit() command after successful validation. The problem was that our submit input element had no name attached to it, so jquery - or IE for that matter was adding an invalid &={value_of_submit} to the form parameters and then firing the submit command.

We went ahead and added a name attribute to the submit button ("hint: refrain from using name="submit" because this will cause the validation to pass but form will not be submitted because form.submit() will inadvertently find the element by name submit and try to perform an invalid action") and this solved the problem. If you do not have jquery validator, check for any client side JavaScript attached to the form or any action attached to the submit command, or better yet, just add the name parameter to all your input elements and you should be fine.

If your have legacy code and do not have resources to go through the code and make this simple change, then you can apply a patch and change how jboss handles the parameters but that is not a solution - it is just a work around.

Thanks
David
1 of 1 people found this helpful
Actions
10. Re: More lenient HTTP parameter processing

hd0815 Jul 27, 2012 2:52 AM (in response to davekago21)

We also found out, that this caused the problems. We changed the name attribute of some fields via JavaScript and IE created those wrong request queries afterwards. Giving those elements some dummy names (instead of leaving them empty) made it possible for us to send the request without getting this exception.
Actions
11. Re: More lenient HTTP parameter processing

albertsese Sep 4, 2012 4:14 AM (in response to davekago21)

David Kago wrote:

Not really a jboss issue but an app issue. Had the same problem and was happening only on IE9 (don't know about older IE version but I would presume same result). So question is, should jboss have a configuration to make the parameter processing more lenient or should IE intercept the parameters and strip out invalid parameters before transmitting the request. That is up for discussion.

Here is what our cause was:

The form in question had jquery validator attached to it. The jquery validator has a submitHandler that swallowed the form submit action and in turn issued a form.submit() command after successful validation. The problem was that our submit input element had no name attached to it, so jquery - or IE for that matter was adding an invalid &={value_of_submit} to the form parameters and then firing the submit command.

We went ahead and added a name attribute to the submit button ("hint: refrain from using name="submit" because this will cause the validation to pass but form will not be submitted because form.submit() will inadvertently find the element by name submit and try to perform an invalid action") and this solved the problem. If you do not have jquery validator, check for any client side JavaScript attached to the form or any action attached to the submit command, or better yet, just add the name parameter to all your input elements and you should be fine.

If your have legacy code and do not have resources to go through the code and make this simple change, then you can apply a patch and change how jboss handles the parameters but that is not a solution - it is just a work around.

Thanks
David
I tried this out (adding name to submit button), but it didn't work. Can anyone tell me how to do that "patch jboss-web.jar" thing?
Actions
12. Re: More lenient HTTP parameter processing

hd0815 Sep 5, 2012 2:52 AM (in response to albertsese)
Did you also try out what I wrote? Setting the name attribute of a JavaScript field to '' caused the same problem. The following code will cause this too:

document.forms[0].myField.name = '';

To patch the jboss-web.jar, do the following:
Check out jbossweb from anonsvn: http://anonsvn.jboss.org/repos/jbossweb/trunk
Navigate to src/main/java/org/apache/tomcat/util/http
Modify Parameters.java
Compile the project (with Maven or Ant)
Overwrite the .class-File in the jboss-web.jar of your JBoss (under $JBOSS_HOME/modules/org/jboss/as/web/main)
Restart your JBoss
Actions
13. Re: More lenient HTTP parameter processing

albertsese Sep 5, 2012 3:07 AM (in response to hd0815)

I would've, but my form has a lot of fields... I guess I can just get all and iterate... But I'll try your steps first. Thank you very much!
Actions
14. Re: More lenient HTTP parameter processing

albertsese Sep 5, 2012 3:37 AM (in response to hd0815)

I got a few errors, mostly missing jar files since they're all referenced from somewhere (\home\remm...)

I'm already downloading Java 7 since this is the requirement...
Actions

1 2 3 Previous Next

Go to original post