From the answers here , we can know:
After Tomcat version 7.0.73, 8.0.39, 8.5.7, validation for http headers has been added.
Specifically, some rules are added to limit the normative nature of HTTP headers.
refer here
Specifically:
org.apache.tomcat.util.http.parser.HttpParser#IS_NOT_REQUEST_TARGET[]
A bunch of not request targets are defined in
if(IS_CONTROL[i] || i > 127 || i == 32 || i == 34 || i == 35 || i == 60 || i == 62 || i == 92 || i == 94 || i == 96 || i == 123 || i == 124 || i == 125) { IS_NOT_REQUEST_TARGET[i] = true; }
Converted to the following characters (corresponding to decimal ASCII):
- Those control keys on the keyboard: (
<32或者=127
) - Non-English characters (
>127
) 空格
(32
)双引号
(34
)#
(35
)<
(60
)>
(62
)反斜杠
(92
)^
(94
)TAB上面那个键,我也不晓得嫩个读
(96
){
(123
)}
(124
)|
(125
)
Solution:
or refer to here
which is:
Configure catalina.properties of tomcat
Add or modify:
tomcat.util.http.parser.HttpParser.requestTargetAllow=|{}
Of course, there is another way, which is to encode all parameters