springboot的get請(qǐng)求傳入特殊符號(hào)報(bào)400錯(cuò)誤(RFC 7230 and RFC 3986)

一、錯(cuò)誤日志

2021-01-05 10:54:08.671 [http-nio-19000-exec-2] INFO  org.apache.coyote.http11.Http11Processor - Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
    at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:468)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

二、源碼分析

在org.apache.tomcat.util.http.parser中源碼

static {
    for (int i = 0; i < ARRAY_SIZE; i++) {
    // Control> 0-31, 127
    if (i < 32 || i == 127) {
    IS_CONTROL[i] = true;
    }
    
    // Separator
    if (    i == '(' || i == ')' || i == '<' || i == '>'  || i == '@'  ||
    i == ',' || i == ';' || i == ':' || i == '\\' || i == '\"' ||
    i == '/' || i == '[' || i == ']' || i == '?'  || i == '='  ||
    i == '{' || i == '}' || i == ' ' || i == '\t') {
    IS_SEPARATOR[i] = true;
    }
    
    // Token: Anything 0-127 that is not a control and not a separator
    if (!IS_CONTROL[i] && !IS_SEPARATOR[i] && i < 128) {
    IS_TOKEN[i] = true;
    }
    
    // Hex: 0-9, a-f, A-F
    if ((i >= '0' && i <='9') || (i >= 'a' && i <= 'f') || (i >= 'A' && i <= 'F')) {
    IS_HEX[i] = true;
    }
    
    // Not valid for HTTP protocol
    // "HTTP/" DIGIT "." DIGIT
    if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i >= '0' && i <= '9')) {
    IS_HTTP_PROTOCOL[i] = true;
    }
    
    if (i >= '0' && i <= '9') {
    IS_NUMERIC[i] = true;
    }
    
    if (i >= 'a' && i <= 'z' || i >= 'A' && i <= 'Z') {
    IS_ALPHA[i] = true;
    }
    
    if (IS_ALPHA[i] || IS_NUMERIC[i] || i == '-' || i == '.' || i == '_' || i == '~') {
    IS_UNRESERVED[i] = true;
    }
    
    if (i == '!' || i == '$' || i == '&' || i == '\'' || i == '(' || i == ')' || i == '*' ||
    i == '+' || i == ',' || i == ';' || i == '=') {
    IS_SUBDELIM[i] = true;
    }
    
    // userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
    if (IS_UNRESERVED[i] || i == '%' || IS_SUBDELIM[i] || i == ':') {
    IS_USERINFO[i] = true;
    }
    
    // The characters that are normally not permitted for which the
    // restrictions may be relaxed when used in the path and/or query
    // string
    if (i == '\"' || i == '<' || i == '>' || i == '[' || i == '\\' || i == ']' ||
    i == '^' || i == '`'  || i == '{' || i == '|' || i == '}') {
    IS_RELAXABLE[i] = true;
    }
    }
    
    DEFAULT = new HttpParser(null, null);
}

public HttpParser(String relaxedPathChars, String relaxedQueryChars) {
    for (int i = 0; i < ARRAY_SIZE; i++) {
    // Not valid for request target.
    // Combination of multiple rules from RFC7230 and RFC 3986. Must be
    // ASCII, no controls plus a few additional characters excluded
    if (IS_CONTROL[i] ||
    i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' ||
    i == '^' || i == '`'  || i == '{' || i == '|' || i == '}') {
    IS_NOT_REQUEST_TARGET[i] = true;
    }

    /*
     * absolute-path  = 1*( "/" segment )
     * segment        = *pchar
     * pchar          = unreserved / pct-encoded / sub-delims / ":" / "@"
     *
     * Note pchar allows everything userinfo allows plus "@"
     */
    if (IS_USERINFO[i] || i == '@' || i == '/') {
    IS_ABSOLUTEPATH_RELAXED[i] = true;
    }

    /*
     * query          = *( pchar / "/" / "?" )
     *
     * Note query allows everything absolute-path allows plus "?"
     */
    if (IS_ABSOLUTEPATH_RELAXED[i] || i == '?') {
    IS_QUERY_RELAXED[i] = true;
    }
    }

    relax(IS_ABSOLUTEPATH_RELAXED, relaxedPathChars);
    relax(IS_QUERY_RELAXED, relaxedQueryChars);
}

三、解決辦法

  1. 方法一:此方法在低版本tomacat中才適用
    在tomcat的catalina.properties中,找到最后注釋掉的一行 #
    添加或者修改:
    tomcat.util.http.parser.HttpParser.requestTargetAllow=|{}
    選項(xiàng)是按照字符分隔為一個(gè)數(shù)組,表示放行["|","{","}"]
    如果為中文則就不行。如果有?和&這些符合那么
    tomcat.util.http.parser.HttpParser.requestTargetAllow=|{}?&
    除了上面配置,或者在最后一行添加:
    org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
  2. 方法二:(不推薦)
    更換tomcat版本。此方法比較快。
  3. 方法三:
    對(duì)相應(yīng)的參數(shù)進(jìn)行編碼,就是將所有的參數(shù)都進(jìn)行編碼
  4. 方法四:
    選擇另外的參數(shù)傳遞方法,比如post或者localStorage。
  5. 方法五:springboot內(nèi)置版
    在啟動(dòng)時(shí)候添加tomcat.util.http.parser.HttpParser.requestTargetAllow=|{}
    java -jar -Dtomcat.util.http.parser.HttpParser.requestTargetAllow=|{} demo-0.0.1-SNAPSHOT.jar

參考:https://stackoverflow.com/questions/41053653/tomcat-8-is-not-able-to-handle-get-request-with-in-query-parameters
relaxedQueryChars推薦使用
requestTargetAllow在tomcat8.5已棄用

四、最終配置

最終我在springboot中使用如下配置

import org.apache.catalina.connector.Connector;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

public class TomcatConfig {
    @Bean
    public TomcatServletWebServerFactory webServerFactory() {
        TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
        factory.addConnectorCustomizers((Connector connector) -> {
            connector.setProperty("relaxedPathChars", "\"<>[\\]^`{|}");
            connector.setProperty("relaxedQueryChars", "\"<>[\\]^`{|}");
        });
        return factory;
    }
}
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

推薦閱讀更多精彩內(nèi)容