You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/09/22 14:06:39 UTC
svn commit: r1809317 - in /tomcat/trunk:
java/org/apache/coyote/http11/AbstractHttp11Protocol.java
java/org/apache/coyote/http11/Http11Processor.java
webapps/docs/changelog.xml webapps/docs/config/http.xml
Author: markt
Date: Fri Sep 22 14:06:39 2017
New Revision: 1809317
URL: http://svn.apache.org/viewvc?rev=1809317&view=rev
Log:
Make host header / request line consistency check configurable since it is a new requirement in RFC 7230
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1809317&r1=1809316&r2=1809317&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Fri Sep 22 14:06:39 2017
@@ -91,6 +91,29 @@ public abstract class AbstractHttp11Prot
// ------------------------------------------------ HTTP specific properties
// ------------------------------------------ managed in the ProtocolHandler
+ private boolean allowHostHeaderMismatch = false;
+ /**
+ * Will Tomcat accept an HTTP 1.1 request where the host header does not
+ * agree with the host specified (if any) in the request line?
+ *
+ * @return {@code true} if Tomcat will allow such requests, otherwise
+ * {@code false}
+ */
+ public boolean getAllowHostHeaderMismatch() {
+ return allowHostHeaderMismatch;
+ }
+ /**
+ * Will Tomcat accept an HTTP 1.1 request where the host header does not
+ * agree with the host specified (if any) in the request line?
+ *
+ * @param allowHostHeaderMismatch {@code true} to allow such requests,
+ * {@code false} to reject them with a 400
+ */
+ public void setAllowHostHeaderMismatch(boolean allowHostHeaderMismatch) {
+ this.allowHostHeaderMismatch = allowHostHeaderMismatch;
+ }
+
+
private boolean rejectIllegalHeaderName = true;
/**
* If an HTTP request is received that contains an illegal header name (i.e.
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1809317&r1=1809316&r2=1809317&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Fri Sep 22 14:06:39 2017
@@ -782,10 +782,22 @@ public class Http11Processor extends Abs
// the Host header
if (!hostValueMB.getByteChunk().equals(
uriB, uriBCStart + pos, slashPos - pos)) {
- response.setStatus(400);
- setErrorState(ErrorState.CLOSE_CLEAN, null);
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("http11processor.request.inconsistentHosts"));
+ if (protocol.getAllowHostHeaderMismatch()) {
+ // The requirements of RFC 2616 are being
+ // applied. If the host header and the request
+ // line do not agree, the request line takes
+ // precedence
+ hostValueMB = headers.setValue("host");
+ hostValueMB.setBytes(uriB, uriBCStart + pos, slashPos - pos);
+ } else {
+ // The requirements of RFC 7230 are being
+ // applied. If the host header and the request
+ // line do not agree, trigger a 400 response.
+ response.setStatus(400);
+ setErrorState(ErrorState.CLOSE_CLEAN, null);
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("http11processor.request.inconsistentHosts"));
+ }
}
}
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1809317&r1=1809316&r2=1809317&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Sep 22 14:06:39 2017
@@ -79,7 +79,10 @@
<fix>
Implement the requirements of RFC 7230 that any HTTP/1.1 request that
specifies a host in the request line, must specify the same host in the
- <code>Host</code> header. (markt)
+ <code>Host</code> header and that any such request that does not, must
+ be rejected with a 400 response. This check is optional but enabled by
+ default. It may be disabled with the
+ <code>allowHostHeaderMismatch</code> attribute of the Connector. (markt)
</fix>
<fix>
Implement the requirements of RFC 7230 that any HTTP/1.1 request that
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1809317&r1=1809316&r2=1809317&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri Sep 22 14:06:39 2017
@@ -323,6 +323,13 @@
configured with <code>::</code>.</p>
</attribute>
+ <attribute name="allowHostHeaderMismatch" required="false">
+ <p>By default Tomcat will reject requests that specify a host in the
+ request line but specify a different host in the host header. This
+ chekc can be disabled by setting this attribute to <code>false</code>. If
+ not specified, the default is <code>true</code>.</p>
+ </attribute>
+
<attribute name="allowedTrailerHeaders" required="false">
<p>By default Tomcat will ignore all trailer headers when processing
chunked input. For a header to be processed, it must be added to this
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org