Myujth

I have this strange issue that I am hoping someone has some experience with and can help me out.

I have a tomcat installation on my computer that I use to run things locally when I need to, but then I will publish it to a development box for testing. However, the URL encoding is behaving differently.

For instance, the HTTP verb looks like this (in postman, removed irrelevant rest of URL)

DELETE .../AAASnsAATAALI%2F5AAK/20181114110451

On my local machine I see this in the localhost_access_log:

"DELETE ../AAASnsAATAALI%2F5AAK/20181114110451 HTTP/1.1" 400

(I am expecting the 400. I have learned about the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true that I need to set thanks to StackOverflow, when I do that everything works fine)

However, I see this in the localhost_access_log on the development machine:

 "DELETE ../AAASnsAATAALI/5AAK/20181114110451 HTTP/1.1" 404 1008

Which of course I am getting the 404 because something is converting that %2F to the / causing my URL path to be wrong.

I'm confused as to what may be different between my machine and the development machine. I don't think this could be tomcat as I'm pretty sure I just have the out of the box installs (I compared my catalina.properties and they are the same). Could this be something in IIS that is causing this on the development box? I've been scratching my head on this one for a while now, so I am hoping there is someone out there who has had this happen to them.

Any guidance appreciated.

EDIT:

I have recently discovered that if I make the service call directly referencing tomcat as opposed to using the intranet URL I was provided I get the expected 400 error. So I feel there has to be a setting for the intranet site that needs to be changed. I am going through it now, but have no experience with it.

So in case anyone runs into this I have been able to figure out the solution through much trial and error.

For starters, this is an IIS related problem. I am not experienced enough to probably answer specific questions, but I can do my best if any arise.

I believe this could be a .NET 4.5 (maybe 4.0) issue, we are on 4.7 at the time of this response. So I have heard they are much more strict on their URLs in 4.5. By default IIS will decode your encoded URLs.

The first thing that is needed is to have the URL Rewrite Module in your IIS Manager (or have the wherewithal to know the syntax to edit the web.config of your site) . We did not have this, but I was able to find someone who was able to put it on. A new rule needs to be added to this module. I have included the web.config result of that rule that works for me:

<rewrite>
 <rules>
 <rule name="Keep Original Encoded URL String" stopProcessing="true">
 <match url="(.*)" />
 <conditions>
 <add input="UNENCODED_URL" pattern="(.*)" />
 </conditions>
 <action type="Rewrite" url="C:0" />
 </rule>
 </rules>
</rewrite>

Basically, this is saying take the URL and return the unencoded URL.

Getting all this in is not where it ended though. After making an attempt after entering that rule I received this error:

A potentially dangerous Request.Path value was detected from the client (%) rewrite.

In 4.0 there are default invalid characters for a URL.

< > * % & : ?

So in order to allow for the % to be included you have to override this default by setting the requestPathInvalidCharacters and removing the % so this is what I have now.

<system.web>
 <httpRuntime requestPathInvalidCharacters="<,>,*,&,:,,?" />
</system.web>

Once doing that I was able to get the 400 Bad Request that I was expecting. And in order to solve that you put this in your catalina.properties file.

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

This solution worked for me. If anyone sees issues with them please let me know so I can address them. Hopefully this solution will work for anyone else who may have the problem.