On 11/12/2023 17:20, Mark Thomas wrote:
On 11/12/2023 17:08, David Cleary wrote:
Just want to check if this is by design. The above property default
was changed to better secure the default configuration. We started
having some tests fail due to this.
In our scenario ( as shown below ), the Host header value in the HTTP
request is case-sensitive difference compared to the Request Line, and
it's crucial that Tomcat, our web server, does not block or reject
requests based on variations in the letter case within this header.
Request Line: GET http://HZN-OE-A079:8080 HTTP/1.1
Host header: hzn-oe-a079:8080
Just want to confirm that this property, now with a default of false,
is supposed to reject requests based on the case of the host name.
David,
Host names are case insensitive so I can see the argument for making
this comparison in a case insensitive manner.
However, the language in RFC 9112, section 3.2 is:
A client MUST send a Host header field (Section 7.2 of [HTTP]) in all
HTTP/1.1 request messages. If the target URI includes an authority
component, then a client MUST send a field value for Host that is
identical to that authority component, excluding any userinfo
subcomponent and its "@" delimiter (Section 4.2 of [HTTP]).
The key word for me in the above is identical.
We probably need to go back to the HTTP working group and clarify
whether then intention was for that "identical" to be in a case
sensitive or insensitive manner.
https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0247.html
Based on that discussion, I am going to relax the check to case insensitive.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
