Bug 1433123 - [GSS](6.4.z) request with invalid characters receives 505 response instead of expected 400
Summary: [GSS](6.4.z) request with invalid characters receives 505 response instead of...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web
Version: 6.4.13
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.17
Assignee: Fedor Gavrilov
QA Contact: Radim Hatlapatka
URL:
Whiteboard:
Depends On:
Blocks: eap6417-payload 1455313 1475249
TreeView+ depends on / blocked
 
Reported: 2017-03-16 20:52 UTC by Aaron Ogburn
Modified: 2020-04-15 15:30 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-09-06 13:32:32 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2971811 0 None None None 2017-03-16 20:55:30 UTC

Description Aaron Ogburn 2017-03-16 20:52:58 UTC 
Description of problem:

If a request is refused because of invalid characters (CVE-2016-6816), it gets a 505 response instead of a 400.  The 400 is initially set as expected:

16:26:13,426 INFO  [stdout] (http-127.0.0.1:8080-1) --------------------------->Response.setStatus400
16:26:13,427 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.Response.setStatus(Response.java:-1)
16:26:13,427 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:832)
16:26:13,428 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:656)
16:26:13,428 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
16:26:13,428 INFO  [stdout] (http-127.0.0.1:8080-1) java.lang.Thread.run(Thread.java:745)

But then prepareRequest is called and sets a 505 since it doesn't see a proper protocol:

16:26:13,430 INFO  [stdout] (http-127.0.0.1:8080-1) --------------------------->Response.setStatus505
16:26:13,431 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.Response.setStatus(Response.java:-1)
16:26:13,431 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Processor.prepareRequest(Http11Processor.java:1217)
16:26:13,432 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:839)
16:26:13,432 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:656)
16:26:13,433 INFO  [stdout] (http-127.0.0.1:8080-1) org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
16:26:13,433 INFO  [stdout] (http-127.0.0.1:8080-1) java.lang.Thread.run(Thread.java:745)



How reproducible:

Always


Steps to Reproduce:
1. Launch 6.4.13+
2.
3.

Actual results:

505 response


Expected results:

400 response


Additional info:

Looks like similar concerns were fixed previously in tomcat with https://bz.apache.org/bugzilla/show_bug.cgi?id=46984.  If an error is already detected, Http11Processor.process shouldn't proceed to call prepareRequest().
Comment 1 Aaron Ogburn 2017-03-16 20:54:33 UTC 
Steps to Reproduce:
1. Launch 6.4.13+
2. curl -v localhost:8080/app?x=\\{
Comment 5 Michael Cada 2017-07-31 08:06:53 UTC 
Verified with EAP 6.4.17.CP.CR3
Comment 6 Petr Penicka 2017-09-06 13:32:32 UTC 
Released on 2017-09-05 as part of the EAP 6.4.17 release.
Note You need to log in before you can comment on or make changes to this bug.