Bug 1433123

Summary: [GSS](6.4.z) request with invalid characters receives 505 response instead of expected 400
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Aaron Ogburn <aogburn>
Component: WebAssignee: Fedor Gavrilov <fgavrilo>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hatlapatka <rhatlapa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.13CC: bmaxwell, fgavrilo, mcada, rmaucher
Target Milestone: CR1   
Target Release: EAP 6.4.17   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-06 13:32:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1450092, 1455313, 1475249    

Description Aaron Ogburn 2017-03-16 20:52:58 UTC 
Description of problem:

If a request is refused because of invalid characters (CVE-2016-6816), it gets a 505 response instead of a 400.  The 400 is initially set as expected:

16:26:13,426 INFO  [stdout] (http-127.0.0.1:8080-1) --------------------------->Response.setStatus400
16:26:13,427 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.Response.setStatus(Response.java:-1)
16:26:13,427 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:832)
16:26:13,428 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:656)
16:26:13,428 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
16:26:13,428 INFO  [stdout] (http-127.0.0.1:8080-1) java.lang.Thread.run(Thread.java:745)

But then prepareRequest is called and sets a 505 since it doesn't see a proper protocol:

16:26:13,430 INFO  [stdout] (http-127.0.0.1:8080-1) --------------------------->Response.setStatus505
16:26:13,431 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.Response.setStatus(Response.java:-1)
16:26:13,431 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Processor.prepareRequest(Http11Processor.java:1217)
16:26:13,432 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:839)
16:26:13,432 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:656)
16:26:13,433 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
16:26:13,433 INFO  [stdout] (http-127.0.0.1:8080-1) java.lang.Thread.run(Thread.java:745)



How reproducible:

Always


Steps to Reproduce:
1. Launch 6.4.13+
2.
3.

Actual results:

505 response


Expected results:

400 response


Additional info:

Looks like similar concerns were fixed previously in tomcat with https://bz.apache.org/bugzilla/show_bug.cgi?id=46984.  If an error is already detected, Http11Processor.process shouldn't proceed to call prepareRequest().
Comment 1 Aaron Ogburn 2017-03-16 20:54:33 UTC 
Steps to Reproduce:
1. Launch 6.4.13+
2. curl -v localhost:8080/app?x=\\{
Comment 5 Michael Cada 2017-07-31 08:06:53 UTC 
Verified with EAP 6.4.17.CP.CR3
Comment 6 Petr Penicka 2017-09-06 13:32:32 UTC 
Released on 2017-09-05 as part of the EAP 6.4.17 release.