IBM Support

IT28906: SPECIAL CHARACTERS IN QUERY STRING RESULT IN "HTTP/1.1 400 BAD REQUEST"

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Broker wide http listener and embedded listener works based on
HTTP/1.1 specification(https://tools.ietf.org/rfc/rfc7230.txt)
which doesn't allow Special characters in query string.
However, a user would like to have an option to relax the
restricction and specify special characters like
" < > [ \ ] &circ; ` { | }" in query string.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
All Users of IBM Integration Bus 10.0.0.9 onwards hosting
webservices and permitting http clients to invoke them with
special characters in URL


Platforms affected:
z/OS, MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
From IBM Integration Bus 10.0.0.9 onwards, additional checks
will be performed for valid characters to the HTTP request line.
If an invalid character in the request line is not
percent-encoded, then the request will be rejected with a http
response "400 BAD  REQUEST". The invalid characters which are
not allowed for a request URL are

  < > [ \ ]  ` { | }

A user may want an option to lift this restriction and allow the
characters as-is

    



Problem conclusion


    

  • A user is encouraged to percent-encode special characters in the
request URL before invoking, as the special characters can cause
a security breach in the product. For those who do not want to
percent-encode characters in request URL, two new properties are
introduced under HTTP(S)Connector resource of integration server
and integration node HTTP listener parameters.
 <div>-n relaxedPathChars</div><div> </div><div>    The HTTP/1.1
specification requires that certain characters are %nn encoded
when used in URI paths. It the special characters are not
encoded, the listener will reject the request with a http code
'400 BAD <span style="background-color:rgb(255, 255,
255)">REQUEST</span>'. Set this property to allow those
additional characters in URI paths. The value may be any
combination of the following characters: " < > [ \ ] &#94; ` { |
} . Any other characters present in the value will be
ignored.</div><div> </div><div>-n relaxedQueryChars</div><div>
</div><div>    The HTTP/1.1 specification requires that certain
characters are %nn encoded when used in URI query strings. If
the special characters in query string are not encoded, the
listener will reject the request with a http code '400 BAD <span
style="background-color:rgb(255, 255, 255)">REQUEST</span>'. Set
this property to allow those additional characters in the query
string. The value may be any combination of the following
characters: " < > [ \ ] &#94; ` { | } . Any other characters
present in the value will be ignored.</div>
Example of setting the property is

To allow characters [ and < in URL path for integration server
https(SSL) listener :
mqsichangeproperties <Integration node> -e <Integration server>
-o HTTPSConnector -n relaxedPathChars -v '[<'

To allow characters {, | and } in query string for integration
node http istener :
mqsichangeproperties <Integration node> -b httplistener -o
HTTPConnector -n <span style="background-color:rgb(255, 255,
255)">relaxedQueryChars </span>-v '{|}'

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v10.0      10.0.0.21

The latest available maintenance can be obtained from:
http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041

If the maintenance level is not yet available,information on
its planned availability can be found on:
http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308
---------------------------------------------------------------

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT28906
    • 

  • Reported component name
    INTEGRATION BUS
    • 

  • Reported component ID
    5724J0540
    • 

  • Reported release
    A00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2019-04-24
    • 

  • Closed date
    2020-06-10
    • 

  • Last modified date
    2020-06-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    INTEGRATION BUS
    • 

  • Fixed component ID
    5724J0540
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 June 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback