You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/04/28 16:29:23 UTC
[tomcat] 01/02: Reject invalid HTTP protocols with 400 rather than
505
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e5468e2a44448d3a90b3fb831bd83b156b32736f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Apr 28 17:21:13 2021 +0100
Reject invalid HTTP protocols with 400 rather than 505
---
java/org/apache/coyote/http11/Http11InputBuffer.java | 2 +-
test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java | 7 +++++++
webapps/docs/changelog.xml | 9 +++++++++
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java b/java/org/apache/coyote/http11/Http11InputBuffer.java
index e3ace89..e6255dd 100644
--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
+++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
@@ -554,7 +554,7 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
} else if (prevChr == Constants.CR && chr == Constants.LF) {
end = pos - 1;
parsingRequestLineEol = true;
- } else if (!HttpParser.isHttpProtocol(chr)) {
+ } else if (prevChr == Constants.CR || !HttpParser.isHttpProtocol(chr)) {
String invalidProtocol = parseInvalid(parsingRequestLineStart, byteBuffer);
throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol", invalidProtocol));
}
diff --git a/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java b/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
index 829912b..a953031 100644
--- a/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
+++ b/test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
@@ -74,6 +74,13 @@ public class TestHttp11InputBufferCRLF extends TomcatBaseTest {
CRLF,
Boolean.FALSE, parameterSets);
+ // Standard HTTP/1.1 request with invalid HTTP protocol
+ addRequestWithSplits("GET /test HTTP/" + CR + "1.1" + CRLF +
+ "Host: localhost:8080" + CRLF +
+ "Connection: close" + CRLF +
+ CRLF,
+ Boolean.FALSE, Boolean.FALSE, parameterSets);
+
// Invalid HTTP/1.1 request
addRequestWithSplits("GET /te<st HTTP/1.1" + CRLF +
"Host: localhost:8080" + CRLF +
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ad8924b..bc51e67 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -131,6 +131,15 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Ensure that all HTTP requests that contain an invalid character in the
+ protocol component of the request line are rejected with a 400 response
+ rather than some requests being rejected with a 505 response. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Jasper">
<changelog>
<scode>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org