Am 2020-03-23 um 14:01 schrieb Mark Thomas:

I am currently looking at the request line parsing. I'll try and set out
each issue in turn.

End of line parsing

Prior to the recent changes, Tomcat allowed CRLF or LF to mark the end
of a line. The unwanted side effect was that CR could appear in the
header value. This caused problems and was tightened up to only allow
CRLF as a line terminator.

Currently Tomcat requires CRLF everywhere apart from the end of the
request line for a HTTP 0.9 request where it also allows LF.

This requirement to accept just LF as a line terminator first emerged in
the W3C spec [1]. RFC 1945 [2] and RFC 2616 [3] retained this as a
recommendation for all line terminators, RFC 7230 [4] no longer includes
this recommendation.

RFC 7230 also removes the expectation that a server that supports
HTTP/1.1 will support HTTP 0.9.

Arguably the current spec for HTTP/0.9 is [3].

The Servlet spec references RFC 7230 and RFC 1945 so arguably HTTP/0.9
support is expected.

SP vs whitespace

Tomcat currently accepts any combination of SP and HTAB where RFC 7230
calls for a single SP. This stems from a recommendation in RFC 2616
which is no longer present in RFC 7230.

I think we have three options.

1. No changes.
    CRLF is required everywhere apart from HTTP/0.9 where LF is also
    Any combination of SP/HTAB is accepted where SP is required.

2. Tighten up as per RFC 7230
    a) Require CRLF for all line endings
    b) Require SP where specified
    c) Drop HTTP/0.9 support

3. Relax the recent changes to allow CRLF or LF as a line terminator
    everywhere without allowing CR to appear in a request header.

I think we should follow 1) for Tomcat 7, 8 & 9.

I'm leaning towards 1 for 10.0.x as well with a view to discussing 2 in
the Servlet project. i.e. explicitly dropping HTTP 0.9 support and the
"Tolerant applications" requirements of RFC 1945 for Jakarta EE 10
(Tomcat 10.1.x).

Makes sense for <= 9 and the evaluation for 10


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to