最近由於爆發了Apache Tomcat AJP協議任意文件下載和任意文件包含可導致遠程命令執行的漏洞,tomcat8系列的需要升級至8.5.51.
升級注意幾個問題:
- bin/catalina.sh
我們是通過在執行環境配置env來區別不同環境的,所以需要在bin/catalina.sh中添加-Denv=prod代表正式環境。另外性能優化相關的都在這個文件中配置。從原8.0.30複製過來 - conf/server.conf
在這個文件中配置端口號,這個端口號和原來的一致(nginx轉發),所以啓動前要先關閉原tomcat - conf/context.xml
啓動的時候有警告,在conf/context.xml中配置<Resources cachingAllowed="true" cacheMaxSize="150000" ></Resources>
[localhost-startStop-1] org.apache.catalina.webresources.Cache.getResource Unable to add the resource at [/WEB-INF/classes/static/js/ueditor/third-party/highcharts/highcharts.src.js] to the cache for web application [/dgshop-0.0.1-release] because there was insufficient free space available after evicting expired cache entries - consider increasing the maximum size of the cache
- conf/catalina.properties
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:467)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:789)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1437)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
由於高版本的tomcat的限制(Tomcat在 7.0.73, 8.0.39, 8.5.7 版本後,在http解析時做了嚴格限制),可以通過在conf/catalina.properties中添加兩行和conf/server.xml添加兩行配置解決
conf/catalina.properties,requestTargetAllow只能最多配置|{},如果要放開更多的字符需要在conf/server.xml中的Connector添加屬性。
tomcat.util.http.parser.HttpParser.requestTargetAllow=|{}
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
conf/server.xml添加需要放開的字符
relaxedPathChars="|{}[],^\"
relaxedQueryChars="|{}[],^\"
參考
終極解決方案: Invalid character found in the request target. The valid characters are defined in RFC 3986