Skip navigation

Change request ID for join forms to not include the pipe character

score 155
You have not voted. Below Review Threshold

Recent versions of Tomcat 7 and 8 restrict the use of the pipe character.

This affects the use of direct URLs to join forms that pass the eid parameter.   The eid parameter for join forms includes the pipe character.  Ex:  0000123456|0000123456.    Direct URL links are part of any Web report against a join form.

 

Tomcat can be set to allow the pipe character by adjusting the catalina.properties file to include this parameter.

# Allow for changes to HTTP request validation

# WARNING: Using this option will expose the server to CVE-2016-6816

#tomcat.util.http.parser.HttpParser.requestTargetAllow=|

 

However, many companies will not allow the security exposure.

Comments

Vote history