On 21 March 2017 14:14:19 GMT+00:00, Christopher Schultz <ch...@christopherschultz.net> wrote: >Mark, > >On 3/19/17 4:55 PM, Mark Thomas wrote: >> Hi, >> >> r1787662 adds Host header validation along with a fair number of >> unit tests. >> >> It includes a performance test which indicates - on my machine at >> least - that the performance impact is in the noise. I'd like to >> see better performance for full IPv6 addresses but the current code >> looks to be acceptable. >> >> The validation is not yet integrated into the request processing. >> My primary reason for not integrating it is that it will trigger a >> 400 response if the header is invalid and I don't want to >> incorrectly reject valid headers. Therefore I have a request. >> Please try and break these new parsers. Please commit any values >> you test with. >> >> Once we are happy with the quality of these parsers, I'll integrate >> them into the request processing. > >How about an option to disable the validity-checking, in case someone >in the field finds a case they need to support, or if they don't care >about hostname-checking and want their "performance back"?
I'm not too concerned about performance. The checks are at most 1% of the current processing time for a trivial servlet accessed over localhost. For real use cases it will be less. Some form of transition could work (eg log only) but I'm reluctant to an an option that effectively bypasses spec compliance. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
