Tomcat rejects wrong URL send by Outlook application

[pnedonosko]

Since Tomcat 7.0.73 it does strict check for wrong characters in the request line and reject it then.

Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)

This fix affected 7.x, 8.x and 9.x Tomcat servers due to CVE-2016-6816 detected vulnerability.

Commit done with following comment:

Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. This is the fix for CVE-2016-6816

But Outlook server sends all request with query parameter that contains | character. For example: https://peter.exoplatform.com.ua:8443/portal/intranet/outlook?command=convertToStatus&et=&_host_Info=Outlook|Web|16.01|en-US|338f7941-a518-7600-3f22-e4807d2a482b|. Previously we was able to escape it in servlet filter to avoid failures in the portal engine. But since the Tomcat change this check done too low level before the filter.

A single, yet known, way to workaround it, it's use hash # at the end of location URLs of the add-in manifest, then the Tomcat logic will let it run (by ignoring the rest of the request line).

Check in this issue: will the workaround work with Outlook365?

[pnedonosko]

Tomcat error for information:

2017-02-07 15:11:19,617 | INFO  | Error parsing HTTP request header
 Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. [o.a.coyote.http11.Http11NioProcessor<http-nio-8443-exec-1>]
java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
    at org.apache.coyote.http11.InternalNioInputBuffer.parseRequestLine(InternalNioInputBuffer.java:317) ~[tomcat-coyote.jar:7.0.75]
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1000) ~[tomcat-coyote.jar:7.0.75]
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) [tomcat-coyote.jar:7.0.75]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1760) [tomcat-coyote.jar:7.0.75]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1719) [tomcat-coyote.jar:7.0.75]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_112]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_112]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-coyote.jar:7.0.75]
    at java.lang.Thread.run(Thread.java:745) [na:1.8.0_112]

[pnedonosko]

Deeper study of Tomcat sources found that it is a fix of vulnerability CVE-2016-6816 also described here.

[pnedonosko]

This problem doesn't happen if Platform's Tomcat runs behind the proxy on. Apache HTTP with mod_jk. Issue to study the infra by admins ITOP-3056.

[pnedonosko]

This issue already discussed in Microsoft Office forum and Microsoft developer told that adding such illegal query parameter was removed. I'll asked there when this update could appear in Office365.

[pnedonosko]

As Office developers proposed, there is a shim helper that lets use Office.js functionality without requests with illegal characters. We'll try use this OfficeJsHelpers library in Outlook add-in for eXo Platform.