On 14/10/2021 11:32, Konstantin Kolinko wrote:
чт, 14 окт. 2021 г. в 13:01, Mark Thomas <ma...@apache.org>:
On 14/10/2021 10:59, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new d33cce6 Ensure request URIs start with /
d33cce6 is described below
commit d33cce6c196efed8e35518711ba27af0a8c93d09
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Oct 13 18:33:55 2021 +0100
Ensure request URIs start with /
This is the third and final additional default check for consideration
to back-port.
Servlet 6 also introduces the concept of "suspicious URIs" - sequences
like "/..;a=b/" and I'll be addressing those as an optional check in a
separate commit.
How about an "OPTIONS * HTTP/1.1" request?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.7
Does Tomcat respond to it by itself, without passing the request to servlets?
That gets handled before the "starts with '/' check". Tomcat provides
the response.
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/connector/CoyoteAdapter.java#L613
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
