Author: markt Date: Mon Nov 20 11:32:54 2017 New Revision: 1815791 URL: http://svn.apache.org/viewvc?rev=1815791&view=rev Log: Enable host name validation for HTTP requests. Note: This only logs failures. It does not (yet) trigger a 400 response.
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1815791&r1=1815790&r2=1815791&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon Nov 20 11:32:54 2017 @@ -52,6 +52,7 @@ import org.apache.tomcat.util.buf.HexUti import org.apache.tomcat.util.buf.MessageBytes; import org.apache.tomcat.util.http.FastHttpDateFormat; import org.apache.tomcat.util.http.MimeHeaders; +import org.apache.tomcat.util.http.parser.Host; import org.apache.tomcat.util.log.UserDataHelper; import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState; import org.apache.tomcat.util.net.SSLSupport; @@ -1102,6 +1103,32 @@ public class Http11Processor extends Abs hostNameC = new char[valueL]; } + // TODO + // To minimise breakage to existing systems, just report any errors. In + // a future release this will switch to returning a 400 response. + // Depending on user feedback, the 400 response may be made optional. + try { + Host.parse(valueMB); + } catch (IOException | IllegalArgumentException e) { + // IOException should never happen + // IllegalArgumentException indicates that the host name is invalid + UserDataHelper.Mode logMode = userDataHelper.getNextMode(); + if (logMode != null) { + String message = sm.getString("http11processor.host.parse", + valueMB.toString(), e.getMessage()); + switch (logMode) { + case INFO_THEN_DEBUG: + message += sm.getString("http11processor.fallToDebug"); + //$FALL-THROUGH$ + case INFO: + log.info(message, e); + break; + case DEBUG: + log.debug(message, e); + } + } + } + boolean ipv6 = (valueB[valueS] == '['); boolean bracketClosed = false; for (int i = 0; i < valueL; i++) { Modified: tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties?rev=1815791&r1=1815790&r2=1815791&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/coyote/http11/LocalStrings.properties Mon Nov 20 11:32:54 2017 @@ -17,8 +17,9 @@ abstractHttp11Protocol.alpnConfigured=Th abstractHttp11Protocol.alpnWithNoAlpn=The upgrade handler [{0}] for [{1}] only supports upgrade via ALPN but has been configured for the [{2}] connector that does not support ALPN. abstractHttp11Protocol.httpUpgradeConfigured=The [{0}] connector has been configured to support HTTP upgrade to [{1}] -http11processor.fallToDebug=\n Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. +http11processor.fallToDebug=\n Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level. http11processor.header.parse=Error parsing HTTP request header +http11processor.host.parse=The host header [{0}] failed validation with the error [{1}]. Processing of the request will continue but Tomcat will reject these requests with a 400 response in a future release. http11processor.neverused=This method should never be used http11processor.request.inconsistentHosts=The host specified in the request line is not consistent with the host header http11processor.request.multipleHosts=The request contained multiple host headers --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org