How to Allow ^ character in URLs for tomcat 8.5
I have a request URL of below format
http://hostname:port/path¶m1={"vars":[{"a":"val1","b":"^"},{"c":"val2","d":"^"}]}¶m2=Value3|95|3%20-%206%20Months
I changed catalina.properties as per this stackoverflow question .
But as per tomcat documentation tomcat.util.http.parser.HttpParser.requestTargetAllow property is deprecated and relaxedPathChars and relaxedQueryChars attributes are to be used with Connector tag instead.
However, when i change the xml file to below
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443" relaxedQueryChars="^" relaxedPathChars="^"/>
I still get a 400 bad request for the character ^
I am not sure if this is the correct configuration.
Answer
Ideally you should always URL-encode your query parameters before sending your request to the server. Read: https://www.talisman.org/~erlkonig/misc/lunatech%5Ewhat-every-webdev-must-know-about-url-encoding/
If you want to go down the relaxedQueryChars route, note that the following chars from your query are also in the set that you ought to add to the exception:
" { } [ ] ^ |
Try this in your server.xml:
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443" relaxedQueryChars='^{}[]|"' />
More insight into relaxedQueryChars/relaxedPathChars on the bug ticket 62273. The change was added to all branches of Tomat:
- 9.0.8
- 8.5.31
- 8.0.52
- 7.0.87
I don't think you need the relaxedPathChars attribute at all (this refers to characters on the URL path). However, the Tomcat team's test results seem to suggest that the following could be used for maximum backward-compatibility:
relaxedPathChars='[]|'
relaxedQueryChars='[]|{}^\`"<>' />
nb/ the first arg to your query should be demarcated by ? not &
http://hostname:port/path?param1=...¶m2=...¶m3=...