HTTP Status 400 – Bad Request

Report · Oct 15, 2021

I just installed a dev version of CF 2021 to prep for an upgrade from CF 10.

The exact same urls now respond with the above error from identical urls. I presume the bad parameter is the "&{}" but this existed in CF 10 with no issue. Tried adding URIEncoding="UTF-8"
relaxedQueryChars="{}" to the apache server.xml but had no success. It's not browser specific. This is the log entry:

Oct 15, 2021 12:09:56 PM org.apache.coyote.http11.Http11Processor service
INFO: Error parsing HTTP request header
 Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in the request target [/iFM-Portals/system/srre/editor/index.cfm?targetaction=GlobalEditor&t=ifm_users&keylist=BELLPA2&{}&_=1634310596756 ]. The valid characters are defined in RFC 7230 and RFC 3986

Report · Oct 16, 2021

The error is definitely a client error, as the status-code suggests. With the attribute, relaxedQueryChars, you are on the right track. 🙂

ColdFusion 10 and ColdFusion 2021 are a world apart. For example, CF10 runs on Tomcat 7.x whereas CF2021 runs on Tomcat 9.0.50. Newer Tomcat versions no longer tolerate certain characters in the URL. Which is why the characters {} are causing the HTTP 400 error.

Suggestions (in order of preference):

Change your software design such that the URLs in your application no longer require illegal characters like { and }. Inform users accordingly.
If you cannot miss the characters, then use their respective URL-encoded values instead. For example %7B in place of { and %7D in place of }.
Implement the following workaround. Open server.xml in a text editor, and add the relaxedQueryChars attribute to the HTTP/1.1 connector element. For example,
```
<Connector protocol="HTTP/1.1" port="8500" redirectPort="8453" connectionTimeout="20000" relaxedQueryChars="{,}"/>
```

Report · Oct 18, 2021

Thanks very much for the reply.

Updating the relaxedQueryChars param has not worked unfortunately.

Curiously the "&{}" part of the url is being added automatically and not a part of the url that gets sent in the Ajax call.

For example:

&prob_type=DATALINE becomes

&prob_type=DATALINE&{}&_=1634554657642 which I always asumed to be part of the CFTOKEN so I never had to deal with it before. So is this something being added by some other source juch as jQuery or even native Ajax do you think?

Report · Oct 18, 2021

I found the source of the issue. It was in a function that tested for a null parameter and set it to '{}'.

All is good now.

HTTP Status 400 – Bad Request

1 Correct answer

Photos