You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Sven Buesing <s....@babiel.com> on 2018/05/30 09:00:25 UTC

Strict Host Header validation since Tomcat 7.0.87

Hello everyone,
Hello Mark,

@markt: as this change is from you, I've added you in cc. Please let me know if you're fine with this.

Since Tomcat 7.0.87 Coyote has added a validation check for Host-Headers.
The validation seems to expect that a host header is always a FQDN.
But in common DNS setups, search domains are used, which are automatically appended to a DNS request.

The search domain on the other hand is not appended to the host header of the request. For example, a host header might therefore look like this: "Host: subdomain.host-header". 
The"-" causes the request to be recognized as incorrect and discarded.
As a result, since the update to Tomcat >8.0.86, certain requests are answered with 400 bad requests.

This could be a problem in certain setups. Maybe you could change the validation behaviour to also accept common domain names without requireing FQDNs.

Regards,
Sven B.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Strict Host Header validation since Tomcat 7.0.87

Posted by Mark Thomas <ma...@apache.org>.

On 30/05/18 10:00, Sven Buesing wrote:
> Hello everyone,
> Hello Mark,
> 
> @markt: as this change is from you, I've added you in cc. Please let me know if you're fine with this.

No, I am not. Please do not send direct mail to Tomcat committers. If
you have a Tomcat related question, it belongs on the mailing list.

> Since Tomcat 7.0.87 Coyote has added a validation check for Host-Headers.
> The validation seems to expect that a host header is always a FQDN.
> But in common DNS setups, search domains are used, which are automatically appended to a DNS request.
> 
> The search domain on the other hand is not appended to the host header of the request. For example, a host header might therefore look like this: "Host: subdomain.host-header". 
> The"-" causes the request to be recognized as incorrect and discarded.
> As a result, since the update to Tomcat >8.0.86, certain requests are answered with 400 bad requests.
> 
> This could be a problem in certain setups. Maybe you could change the validation behaviour to also accept common domain names without requireing FQDNs.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62371

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org