You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/05/11 08:34:21 UTC

svn commit: r1831389 - /tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java

Author: markt
Date: Fri May 11 08:34:21 2018
New Revision: 1831389

URL: http://svn.apache.org/viewvc?rev=1831389&view=rev
Log:
When the header limit is exceeded before the protocol is read (e.g. with excessive new lines before the request line), set the protocol to avoid the missing protocol triggering a 505 error masking the real error code.

Modified:
    tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java

Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java?rev=1831389&r1=1831388&r2=1831389&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java Fri May 11 08:34:21 2018
@@ -711,6 +711,10 @@ public class Http11InputBuffer implement
 
         if (parsingHeader) {
             if (byteBuffer.limit() >= headerBufferSize) {
+                if (parsingRequestLine) {
+                    // Avoid unknown protocol triggering an additional error
+                    request.protocol().setString(Constants.HTTP_11);
+                }
                 throw new IllegalArgumentException(sm.getString("iib.requestheadertoolarge.error"));
             }
         } else {



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1831389 - /tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java

Posted by Mark Thomas <ma...@apache.org>.

On 11/05/18 15:44, Christopher Schultz wrote:

<snip/>

> Why not use something like "UNKNOWN" instead of "HTTP/1.1"? It might
> be confusing to see that the protocol "is" HTTP/1.1 when it was
> actually something else on the wire.

Because:
- neither the app nor the client ever sees it.
- it needs to be a valid value to prevent another error being triggered
later.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1831389 - /tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 5/11/18 4:34 AM, markt@apache.org wrote:
> Author: markt Date: Fri May 11 08:34:21 2018 New Revision: 1831389
> 
> URL: http://svn.apache.org/viewvc?rev=1831389&view=rev Log: When
> the header limit is exceeded before the protocol is read (e.g. with
> excessive new lines before the request line), set the protocol to
> avoid the missing protocol triggering a 505 error masking the real
> error code.
> 
> Modified: 
> tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
> 
> Modified:
> tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java 
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http1
1/Http11InputBuffer.java?rev=1831389&r1=1831388&r2=1831389&view=diff
>
> 
========================================================================
======
> ---
> tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
> (original) +++
> tomcat/trunk/java/org/apache/coyote/http11/Http11InputBuffer.java
> Fri May 11 08:34:21 2018 @@ -711,6 +711,10 @@ public class
> Http11InputBuffer implement
> 
> if (parsingHeader) { if (byteBuffer.limit() >= headerBufferSize) { 
> +                if (parsingRequestLine) { +                    //
> Avoid unknown protocol triggering an additional error +
> request.protocol().setString(Constants.HTTP_11); +
> }

Why not use something like "UNKNOWN" instead of "HTTP/1.1"? It might
be confusing to see that the protocol "is" HTTP/1.1 when it was
actually something else on the wire.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr1rEgACgkQHPApP6U8
pFhn6BAAj1bBFKStBUHSL+9plGEz7X6jr48SuF3ftcbkKZ56saPdQ4xULJm8QUw4
YX+pw2ORv+fq+fmdfgNgIZnlatN4eXTAmUTlswnkjOPEP4LsJUYqFU8t8WT6iiUq
XnYQbyrSKNCcITSu4XQOV6CfvZuOo/Fu6t3SCR9bjQ9azKdUsq6TpnwAwyg3bMwI
25zxBymSWiBv2LENcV4c2CRYvOiTNCEn/DVYZVWubYiLhKuaeo6wD6QKiEnHqJvd
8vl1w7v/YQfauRIyQJZ3wXTmiX8+fTwHFrhVi/4mp0peRCHYc11mvlXVNKYHKLCO
2kizfdMljdZrdXTlEOGe7pPntliMXASiCGekSJoEh+weTFFwU74AYT8fZmssBUIz
qOS1bvopRf07rXWJe9XGAF5TGZKVVmy5cPAewlsfbA0cA4/h2b15al7UFYev8LTa
zbf/f/VImFx/3P5VeujnIy3Cir70MQpETwo1oBHLe6T7AcsLR/L9o3i7oUqj1vyA
U1jUlH6Bhabnh3HIl4uPamY4gDoYUAQMcM+giHsbgdpd8FAGbsh0V+bF7NcGmxgq
Mt38Ge5B5T3NO6uxpgkQqhfvlEn8DXtSJRxdV5eZQhpwrpkYjyaRFI+gItWw6f72
428BkppXqK6t/ob5gBJK7Mz6BZ4LqWpTVr6y3u3nCVOPxiNdKbg=
=RItO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org