On Tue, Mar 28, 2017 at 5:45 PM, Mark Thomas <ma...@apache.org> wrote:
> On 28/03/17 15:23, Katya Todorova wrote: > > Hi, > >> r1787662 adds Host header validation along with a fair number of unit > tests. > >> It includes a performance test which indicates - on my machine at least > >> - that the performance impact is in the noise. I'd like to see better > >> performance for full IPv6 addresses but the current code looks to be > >> acceptable. > >> The validation is not yet integrated into the request processing. My > >> primary reason for not integrating it is that it will trigger a 400 > >> response if the header is invalid and I don't want to incorrectly reject > >> valid headers. Therefore I have a request. Please try and break these > >> new parsers. > > > > > > I’ve looked at the new http host parsers and tried some test data. > > Most of the test cases have already been covered but still several > > issues popped up: > > Thanks for the additional test cases. This is exactly the sort of > feedback I was looking for. > > Would you like to get more involved in Tomcat development? If so, > turning these into a patch for the unit tests could be good place to > start. You'll need to mark the tests with @Ignore for now until the > underlying bugs are fixed. For bonus points, fix the bugs in the parser > so the tests pass. > > Mark > > > > > > - IPv6 addresses containing ::: are considered valid while they should > > not be - e.g . [:::2222:3333:4444:5555:6666:7777:8888] > > > > (except when “:::” are located in the end , in that case the host is > > rejected as invalid) > > > > - IPv4 part of IPv6 addresses should not contain leading zeros > > according to the following part of the specification: > > > > IPv4address = dec-octet "." dec-octet "." dec-octet "." dec-octet > > > > dec-octet = DIGIT ; 0-9 > > > > / %x31-39 DIGIT ; 10-99 > > > > / "1" 2DIGIT ; 100-199 > > > > / "2" %x30-34 DIGIT ; 200-249 > > > > / "25" %x30-35 ; 250-255 > > > > However, whether leading zeros are permitted or not seems to be a > > matter of a recommendation rather than a strict rule. This may lead > > to ambiguity since many sources over the internet consider 01.02.03.04 > > as valid but [::01.02.03.04] as invalid. > > > > - IPv6 Host containing any symbol other than : after ] is considered > > valid though these trailing symbols after the ] are ignored > > > > e.g. [::1]’, [::1] a > > > > - It seems that compression just before the IPv4 part is not handled > correctly. > > > > This one is considered invalid but should be valid > [a:b:c:d:e::1.2.3.4] > > > > Most of the test data has been taken from here: > > > > [1] http://home.deds.nl/~aeron/regex/invalid_ipv6.txt > > [2] http://home.deds.nl/~aeron/regex/valid_ipv6.txt > > > > > >> Please commit any values you test with. > > > > > >> Once we are happy with the quality of these parsers, I'll integrate them > >> into the request processing. > >> Mark > > > > Kind regards, > > > > Katya > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >