You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/11/20 11:32:55 UTC

svn commit: r1815791 - in /tomcat/trunk/java/org/apache/coyote/http11: Http11Processor.java LocalStrings.properties

Author: markt
Date: Mon Nov 20 11:32:54 2017
New Revision: 1815791

URL: http://svn.apache.org/viewvc?rev=1815791&view=rev
Log:
Enable host name validation for HTTP requests.
Note: This only logs failures. It does not (yet) trigger a 400 response.

Modified:
    tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
    tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties

Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1815791&r1=1815790&r2=1815791&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon Nov 20 11:32:54 2017
@@ -52,6 +52,7 @@ import org.apache.tomcat.util.buf.HexUti
 import org.apache.tomcat.util.buf.MessageBytes;
 import org.apache.tomcat.util.http.FastHttpDateFormat;
 import org.apache.tomcat.util.http.MimeHeaders;
+import org.apache.tomcat.util.http.parser.Host;
 import org.apache.tomcat.util.log.UserDataHelper;
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
 import org.apache.tomcat.util.net.SSLSupport;
@@ -1102,6 +1103,32 @@ public class Http11Processor extends Abs
             hostNameC = new char[valueL];
         }
 
+        // TODO
+        // To minimise breakage to existing systems, just report any errors. In
+        // a future release this will switch to returning a 400 response.
+        // Depending on user feedback, the 400 response may be made optional.
+        try {
+            Host.parse(valueMB);
+        } catch (IOException | IllegalArgumentException e) {
+            // IOException should never happen
+            // IllegalArgumentException indicates that the host name is invalid
+            UserDataHelper.Mode logMode = userDataHelper.getNextMode();
+            if (logMode != null) {
+                String message = sm.getString("http11processor.host.parse",
+                        valueMB.toString(), e.getMessage());
+                switch (logMode) {
+                    case INFO_THEN_DEBUG:
+                        message += sm.getString("http11processor.fallToDebug");
+                        //$FALL-THROUGH$
+                    case INFO:
+                        log.info(message, e);
+                        break;
+                    case DEBUG:
+                        log.debug(message, e);
+                }
+            }
+        }
+
         boolean ipv6 = (valueB[valueS] == '[');
         boolean bracketClosed = false;
         for (int i = 0; i < valueL; i++) {

Modified: tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties?rev=1815791&r1=1815790&r2=1815791&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties Mon Nov 20 11:32:54 2017
@@ -17,8 +17,9 @@ abstractHttp11Protocol.alpnConfigured=Th
 abstractHttp11Protocol.alpnWithNoAlpn=The upgrade handler [{0}] for [{1}] only supports upgrade via ALPN but has been configured for the [{2}] connector that does not support ALPN.
 abstractHttp11Protocol.httpUpgradeConfigured=The [{0}] connector has been configured to support HTTP upgrade to [{1}]
 
-http11processor.fallToDebug=\n Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
+http11processor.fallToDebug=\n Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
 http11processor.header.parse=Error parsing HTTP request header
+http11processor.host.parse=The host header [{0}] failed validation with the error [{1}]. Processing of the request will continue but Tomcat will reject these requests with a 400 response in a future release.
 http11processor.neverused=This method should never be used
 http11processor.request.inconsistentHosts=The host specified in the request line is not consistent with the host header
 http11processor.request.multipleHosts=The request contained multiple host headers



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org