JBoss EAP 6.4.21 returns "400 Bad Request" response when sending unescaped characters (raw characters like | ) in the query string and path parameters of the request.
Below setup has been tried in <system-properties> in domain.
<property name="-Dorg.apache.catalina.connector.URI_ENCODING" value="UTF-8"/>
<property name="-Dorg.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING" value="true"/>
According to your JBoss version and the RedHat Official Site:
The fix for CVE-2016-6816 enforces rules more strictly when handling invalid characters in HTTP requests.
As a result any clients making requests containing any of the following ASCII characters will receive a 400:
- Control characters (values 0x01 to 0x1f, and 0x7f)
- 8-bit ASCII values (values > 0x7f)
- Any of the following characters: ' ' (space character) '"' (double quote) '#' (hash or pound) '<' (less than) '>' (greater than) '\' (back slash) '^' (circumflex) '`' (backquote) '{' (left squiggly bracket or brace) '|' (vertical bar) '}' (right squiggly bracket or brace)
For your jboss version you have to add this line in your startup script standalone.sh
JAVA_OPTS="$JAVA_OPTS -Dtomcat.util.http.parser.HttpParser.requestTargetAllow='{|}'"
Take in mind that if you upgrade to eap 7.1.1+, this solution won't work. Instead add this line to the standalone.conf file:
JAVA_OPTS="$JAVA_OPTS -Dorg.wildfly.undertow.ALLOW_UNESCAPED_CHARACTERS_IN_URL=true"
I hope this can help you.
