You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/10/05 10:38:52 UTC

svn commit: r1842885 - in /tomcat/tc7.0.x/trunk: java/org/apache/coyote/AbstractProcessor.java java/org/apache/coyote/ajp/AbstractAjpProcessor.java java/org/apache/coyote/http11/AbstractHttp11Processor.java webapps/docs/changelog.xml

Author: markt
Date: Fri Oct  5 10:38:52 2018
New Revision: 1842885

URL: http://svn.apache.org/viewvc?rev=1842885&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid.
Patch provided by Michael Orr.
This closes #124.

Modified:
    tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java
    tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
    tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java?rev=1842885&r1=1842884&r2=1842885&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java Fri Oct  5 10:38:52 2018
@@ -203,6 +203,12 @@ public abstract class AbstractProcessor<
     protected void parseHost(MessageBytes valueMB) {
         if (valueMB == null || valueMB.isNull()) {
             populateHost();
+            populatePort();
+            return;
+        } else if (valueMB.getLength() == 0) {
+            // Empty Host header so set sever name to empty string
+            request.serverName().setString("");
+            populatePort();
             return;
         }
 
@@ -266,9 +272,9 @@ public abstract class AbstractProcessor<
 
 
     /**
-     * Called when a host name is not present in the request (e.g. HTTP/1.0).
-     * It populates the server name and port with appropriate information. The
-     * source is expected to vary by protocol.
+     * Called when a host header is not present in the request (e.g. HTTP/1.0).
+     * It populates the server name with appropriate information. The source is
+     * expected to vary by protocol.
      * <p>
      * The default implementation is a NO-OP.
      */
@@ -276,6 +282,18 @@ public abstract class AbstractProcessor<
         // NO-OP
     }
 
+
+    /**
+     * Called when a host header is not present or is empty in the request (e.g.
+     * HTTP/1.0). It populates the server port with appropriate information. The
+     * source is expected to vary by protocol.
+     * <p>
+     * The default implementation is a NO-OP.
+     */
+    protected void populatePort() {
+        // NO-OP
+    }
+
 
     @Override
     public abstract boolean isUpgrade();

Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java?rev=1842885&r1=1842884&r2=1842885&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java Fri Oct  5 10:38:52 2018
@@ -985,13 +985,11 @@ public abstract class AbstractAjpProcess
     /**
      * {@inheritDoc}
      * <p>
-     * This implementation populates the server name and port from the local
-     * name and port provided by the AJP message.
+     * This implementation populates the server name from the local name
+     * provided by the AJP message.
      */
     @Override
     protected void populateHost() {
-        // No host information (HTTP/1.0)
-        request.setServerPort(request.getLocalPort());
         try {
             request.serverName().duplicate(request.localName());
         } catch (IOException e) {
@@ -1001,6 +999,19 @@ public abstract class AbstractAjpProcess
     }
 
 
+    /**
+     * {@inheritDoc}
+     * <p>
+     * This implementation populates the server port from the local port
+     * provided by the AJP message.
+     */
+    @Override
+    protected void populatePort() {
+        // No host information (HTTP/1.0)
+        request.setServerPort(request.getLocalPort());
+    }
+
+
     /**
      * When committing the response, we have to validate the set of headers, as
      * well as setup the response filters.

Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1842885&r1=1842884&r2=1842885&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Fri Oct  5 10:38:52 2018
@@ -1739,21 +1739,24 @@ public abstract class AbstractHttp11Proc
 
     protected abstract boolean prepareSendfile(OutputFilter[] outputFilters);
 
+
+    /*
+     * Note: populateHost() is not over-ridden.
+     *       request.serverName() will be set to return the default host name by
+     *       the Mapper.
+     */
+
+
     /**
      * {@inheritDoc}
      * <p>
-     * This implementation provides the server name from the default host and
-     * the server port from the local port.
+     * This implementation provides the server port from the local port.
      */
     @Override
-    protected void populateHost() {
-        // No host information (HTTP/1.0)
+    protected void populatePort() {
         // Ensure the local port field is populated before using it.
         request.action(ActionCode.REQ_LOCALPORT_ATTRIBUTE, request);
         request.setServerPort(request.getLocalPort());
-
-        // request.serverName() will be set to the default host name by the
-        // mapper
     }
 
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1842885&r1=1842884&r2=1842885&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct  5 10:38:52 2018
@@ -71,6 +71,15 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        <bug>62739</bug>: Do not reject requests with an empty HTTP Host header.
+        Such requests are unusual but not invalid. Patch provided by Michael
+        Orr. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Jasper">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org