2017-03-21 18:01 GMT+03:00 Mark Thomas <ma...@apache.org>: > On 21 March 2017 14:14:19 GMT+00:00, Christopher Schultz > <ch...@christopherschultz.net> wrote: >> >>How about an option to disable the validity-checking, in case someone >>in the field finds a case they need to support, or if they don't care >>about hostname-checking and want their "performance back"? > > I'm not too concerned about performance. The checks are at most 1% of the > current processing time for a trivial servlet accessed over localhost. For > real use cases it will be less. > > Some form of transition could work (eg log only) but I'm reluctant to an an > option that effectively bypasses spec compliance.
This needs a definition of "spec". I am afraid that DNS spec may evolve over time. 1) https://tools.ietf.org/html/rfc7230 RFC 7230 HTTP/1.1 Message Syntax and Routing June 2014 Host = uri-host [ ":" port ] ; Section 2.7.1 uri-host = <host, see [RFC3986], Section 3.2.2> 2) https://tools.ietf.org/html/rfc3986 RFC 3986 URI Generic Syntax January 2005 Updated by: 6874, 7320 host = IP-literal / IPv4address / reg-name IP-literal = "[" ( IPv6address / IPvFuture ) "]" but RFC 6874 updates the syntax and changes "IP-literal" into IP-literal = "[" ( IPv6address / IPv6addrz / IPvFuture ) "]" ZoneID = 1*( unreserved / pct-encoded ) IPv6addrz = IPv6address "%25" ZoneID reg-name = *( unreserved / pct-encoded / sub-delims ) pct-encoded = "%" HEXDIG HEXDIG DomainParseState in r1787662 is more strict and I see no support for pct-encoded characters there. IPv6addrz is not supported (I mentioned in my previous e-mail, and above is the formal syntax for it) IPvFuture address - I think it is too early to implement it, but it can be a reason to have a flag to turn off this check, An example of IPvFuture address with HTTPd, and its response (400): https://bz.apache.org/bugzilla/show_bug.cgi?id=55362 So apparently Apache HTTP Server already has some validation of Host header. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org