You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2020/04/21 11:25:45 UTC

[GitHub] [tomcat] michael-o commented on a change in pull request #277: Filter invalid HTTP 2.0 headers from response

michael-o commented on a change in pull request #277:
URL: https://github.com/apache/tomcat/pull/277#discussion_r412098476



##########
File path: java/org/apache/coyote/Response.java
##########
@@ -435,6 +435,20 @@ private boolean checkSpecialHeader( String name, String value) {
                 return false;
             }
         }
+
+        if (outputBuffer instanceof Http2OutputBuffer && name.equalsIgnoreCase("Connection") ) {
+
+            /*
+             *    Connection headers are invalid in HTTP/2.0, and some clients (like Safari or curl)
+             *    are very touchy about it. Most probably, an application component has added the
+             *    typical HTTP/1.x "Connection: keep-alive" header, but despide the component's
+             *    good intention, the header is faulty in HTTP/2.0 and *should* be refused.
+             * .
+             *    @see https: *tools.ietf.org/html/rfc7540#section-8.1.2.2

Review comment:
       URL is broken

##########
File path: java/org/apache/coyote/Response.java
##########
@@ -435,6 +435,20 @@ private boolean checkSpecialHeader( String name, String value) {
                 return false;
             }
         }
+
+        if (outputBuffer instanceof Http2OutputBuffer && name.equalsIgnoreCase("Connection") ) {
+
+            /*
+             *    Connection headers are invalid in HTTP/2.0, and some clients (like Safari or curl)

Review comment:
       Please to HTTP/2. There is not HTTP/2.0.

##########
File path: java/org/apache/coyote/Response.java
##########
@@ -435,6 +435,20 @@ private boolean checkSpecialHeader( String name, String value) {
                 return false;
             }
         }
+
+        if (outputBuffer instanceof Http2OutputBuffer && name.equalsIgnoreCase("Connection") ) {
+
+            /*
+             *    Connection headers are invalid in HTTP/2.0, and some clients (like Safari or curl)
+             *    are very touchy about it. Most probably, an application component has added the
+             *    typical HTTP/1.x "Connection: keep-alive" header, but despide the component's

Review comment:
       despite




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org