Re: Host header validation

Wed, 05 Apr 2017 05:57:23 -0700 

On 05/04/2017 07:50, Katya Todorova wrote:


Applied. Many thanks.

If you'd like to work on this further then can I suggest you take a look
at Konstantin's comments:

http://markmail.org/message/vp5voob7elspflax



I looked at the comments and it seems there are things to be clarified
before going in this direction:
- should we introduce a flag for turn on/off validation and in which cases



Currently, the validation isn't used at the point where the header is 
parsed.



I'd prefer not to add an option to disable this check. It just seems 
like the wrong thing to do.



I'm currently thinking that we could add the validation and log failures 
(rather than return a 400 response) warning that a future release will 
start rejecting the requests. That should prompt users to contact us 
with any false positives.



- zone id support in IPv6 addresses



- IPvFuture support (for this one Konstantin has already proposed to be
postponed for a while)



Looking at the spec, I think we can parse IPvFuture now. We should 
probably log any IPvFuture values with a request to report the use case 
to us so we can update the parser to handle specific instances rather 
tan the general case.



If you think this is the right time to work on the first two, let me know
and I can prepare a patch.



I think that would be great. BUT. That isn't my decision to make. One of 
the key principles of the Apache Way is that contributors choose what 
they want to work on. There isn't a project leader or a management team 
assigning tasks. If you want to work on this then absolutely, go ahead. 
If there is some other aspect you'd rather be working on then by all 
means work on that.



The Tomcat community is always willing to provide some pointers to 
suitable tasks where people new to Tomcat can get started but that 
shouldn't be see as assigning areas to work on.



Other possibilities are:


- performance improvements for the Host header validation

- improving code coverage generally for any of the HTTP parsing code

- any that attracts your interest



I'm looking at the code coverage and will take a look at host validation
performance.



Fantastic. (With the caveat of you'd rather do something else then that 
would be fantastic too.)


Kind regards,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

























					Reply via email to