Uploaded image for project: 'Alfresco'
  1. Alfresco
  2. ALF-21851

Tomcat 7.0.73, 8.0.39, 8.5.7 - starting from these version throws error on illegal characters

    Details

    • Security Severity:
      None

      Description

      Starting from Tomcat 7.0.73, 8.0.39, 8.5.7 there is a stricter handling of illegal characters.
      From Tomcat change log
      " Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)"
      http://tomcat.apache.org/tomcat-8.0-doc/changelog.html

      While this is not an Alfresco issue it exposes bugs present in Alfresco.
      One such issue is is in file share/src/main/webapp/components/documentlibrary/actions.js
      line 347

               var templateUrl = YAHOO.lang.substitute(Alfresco.constants.URL_SERVICECONTEXT + "components/form?itemKind={itemKind}&itemId={itemId}&destination={destination}&mode={mode}&submitType={submitType}&formId={formId}&showCancelButton=true",
               {
                  itemKind: "node",
                  itemId: nodeRef,
                  mode: "edit",
                  submitType: "json",
                  formId: "doclib-simple-metadata"
               });
      

      Here the the destination parameter is never set, and this results in a request with a parameter destination=

      {destination}

      that has the illegal characters{}

      This one can easily be fixed of course, but there may be other cases like this. Maybe the YAHOO.lang.substitute should be patched to remove any remaining {}-characters just to be safe (but this maybe cause other bugs).

      The above-mentioned issue is the only one I have found so far, but there may be other as testing continues.

      As for now, the solution is to stay off any version of tomcat with the mentioned versions or newer, in the long term it is a good thing as it exposes bad code.

      I listed a version affected but this applies to any version of Alfresco that use a newer version of tomcat.

        Attachments

          Issue Links

            Activity

            Hide
            douglascrp Douglas Cassiano Rodrigues Paes added a comment - - edited

            I am facing the same problem here and I am going to downgrade the Tomcat's version.

            Yes, the downgrade worked.
            I am using the 8.0.38 version now and everything seems to be ok.

            Show
            douglascrp Douglas Cassiano Rodrigues Paes added a comment - - edited I am facing the same problem here and I am going to downgrade the Tomcat's version. Yes, the downgrade worked. I am using the 8.0.38 version now and everything seems to be ok.
            Hide
            resplin Richard Esplin added a comment -

            This sounds like MNT-16664, but it has a different root cause.

            Show
            resplin Richard Esplin added a comment - This sounds like MNT-16664 , but it has a different root cause.
            Hide
            resplin Richard Esplin added a comment -

            Thank you for reporting this issue Peter Löfgren. We will pay attention to this as we look to upgrade the version of Tomcat that we officially support.

            Show
            resplin Richard Esplin added a comment - Thank you for reporting this issue Peter Löfgren . We will pay attention to this as we look to upgrade the version of Tomcat that we officially support.
            Hide
            kroast Kevin Roast added a comment -

            This has already been fixed on the 5.N service pack branch and will be merged to HEAD in due course. Thanks for raising it.

            Show
            kroast Kevin Roast added a comment - This has already been fixed on the 5.N service pack branch and will be merged to HEAD in due course. Thanks for raising it.
            Hide
            kroast Kevin Roast added a comment -

            FYI this NOT related to MNT-16664

            Show
            kroast Kevin Roast added a comment - FYI this NOT related to MNT-16664
            Hide
            kroast Kevin Roast added a comment -

            Merged r135798. Should be in next nightly build and next Community build.

            Show
            kroast Kevin Roast added a comment - Merged r135798 . Should be in next nightly build and next Community build.

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                loftux Peter Löfgren
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Date of First Response: