JBoss EAP 6.4.21 returns "400 Bad Request"

Question

JBoss EAP 6.4.21 returns "400 Bad Request" response when sending unescaped characters (raw characters like | ) in the query string and path parameters of the request.

Below setup has been tried in <system-properties> in domain.

<property name="-Dorg.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="-Dorg.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>

Answer 1

According to your JBoss version and the RedHat Official Site:

The fix for CVE-2016-6816 enforces rules more strictly when handling invalid characters in HTTP requests.

As a result any clients making requests containing any of the following ASCII characters will receive a 400:

1. Control characters (values 0x01 to 0x1f, and 0x7f)
2. 8-bit ASCII values (values > 0x7f)
3. Any of the following characters: ' ' (space character) '"' (double quote) '#' (hash or pound) '<' (less than) '>' (greater than) '\' (back slash) '^' (circumflex) '`' (backquote) '{' (left squiggly bracket or brace) '|' (vertical bar) '}' (right squiggly bracket or brace)

In summary:

For your jboss version you have to add this line in your startup script standalone.sh

JAVA_OPTS="$JAVA_OPTS -Dtomcat.util.http.parser.HttpParser.requestTargetAllow='{|}'"

Take in mind that if you upgrade to eap 7.1.1+, this solution won't work. Instead add this line to the standalone.conf file:

JAVA_OPTS="$JAVA_OPTS -Dorg.wildfly.undertow.ALLOW_UNESCAPED_CHARACTERS_IN_URL=true"

I hope this can help you.