You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/09/19 12:09:06 UTC
[Bug 62739] New: Tomcat should allow blank Host header
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
Bug ID: 62739
Summary: Tomcat should allow blank Host header
Product: Tomcat 7
Version: 7.0.90
Hardware: Macintosh
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: michaelomichael@gmail.com
Target Milestone: ---
Changes to request handling in 7.0.87 mean that sending an empty string for the
"Host" request header now results in a "400 Bad Request" response, even though
the request is legal.
This can be demonstrated by running the following command:
curl -XGET -v -I -H "Host: " "http://localhost:8080/RELEASE-NOTES.txt"
The request that is sent is:
GET /RELEASE-NOTES.txt HTTP/1.1
Host:
User-Agent: curl/7.54.0
Accept: */*
According to RFC 7230 (https://tools.ietf.org/html/rfc7230#section-5.4) it is
legal for the Host header to have an empty field value:
"If the authority component is missing or undefined for the target URI,
then a client MUST send a Host header field with an empty field-value."
While uncommon, I have come across such cases. For example, an F5 load
balancer wants to make an HTTP request to help determine whether or not a given
HTTP server is still 'alive', so it creates a TCP connection and then sends the
following text string:
GET /alive.html HTTP/1.1\r\nHost:\r\n\r\n
Changing this string so that the Host header is not blank would, of course, be
the easiest option, but it is not always possible to do, especially if the same
string is used for many disparate server types.
We should modify the code (AbstractHttp11Processor, I'm guessing?) to allow a
blank Host header value.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #12 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- trunk for 9.0.13 onwards
- 8.5.x for 8.5.35 onwards
- 7.0.x for 7.0.92 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #1 from Michael Orr <mi...@gmail.com> ---
I should add that I'm happy to investigate a fix for this, assuming there are
no objections to the proposed change.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #6 from Michael Orr <mi...@gmail.com> ---
I managed to find time after all! Here's the pull request:
https://github.com/apache/tomcat/pull/124
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #9 from Michael Orr <mi...@gmail.com> ---
Good question.
Let me know how you want to proceed, and I'll add tests and code accordingly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #4 from Michael Orr <mi...@gmail.com> ---
Hi Mark, it won't happen this week. Possibly by the end of next week.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #8 from Mark Thomas <ma...@apache.org> ---
Patch looks good - thanks for including the tests.
My main thought at this point is what should HttpServletRequest.getServerName()
return? My reading of the Javadoc is if the Host header is present, its value
should be returned by HttpServletRequest.getServerName(). That requires a
slightly different fix (in the parser to allow empty values).
Either solution enables the new tests to pass. Leaving this open for a little
while to think about it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Please go ahead.
We typically (and this is a typical case) fix the issue in trunk first and then
back-port. My initial impression is that this is a fairly simple fix. Don't
forget to check/add/update the unit tests.
Patches can be provided by either attaching them to this issue (in diff -u
format please) or by creating a PR against the GitHub mirror
https://github.com/apache/tomcat
If you have any questions, just ask.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #11 from Michael Orr <mi...@gmail.com> ---
Done. Pull request has been updated. Let me know if there's anything I've
missed.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Is there an ETA on your fix? We have reached the start of the month and I
expect we'll want to tag a new version with this fix included in the next few
days.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #10 from Mark Thomas <ma...@apache.org> ---
Thanks for the offer of an updated patch.
Lets go with HttpServletRequest.getServerName() returning an empty string in
this case as that is consistent with the Host header that was sent.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
OK. The other open issues are looking to be trickier than expected so we have a
little more time than I first thought. I'll leave this until last to give you
as much time as possible.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
Michael Orr <mi...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |michaelomichael@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62739] Tomcat should allow blank Host header
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
--- Comment #7 from Mark Thomas <ma...@apache.org> ---
Thanks. Looking at this now.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org