[Bug 65272] Problems proccessing HTTP request without CR in last versions
https://bz.apache.org/bugzilla/show_bug.cgi?id=65272 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #7 from Mark Thomas --- Fixed in: - 10.0.x for 10.0.6 onwards - 9.0.x for 9.0.46 onwards - 8.5.x for 8.5.66 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65272] Problems proccessing HTTP request without CR in last versions
https://bz.apache.org/bugzilla/show_bug.cgi?id=65272 --- Comment #6 from Mark Thomas --- It currently looks like this is fixable. PR at https://github.com/apache/tomcat/pull/417 Need to allow time for the Tomcat community to review the PR. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65272] Problems proccessing HTTP request without CR in last versions
https://bz.apache.org/bugzilla/show_bug.cgi?id=65272 --- Comment #5 from Mark Thomas --- I've started to look at this. So far I have spotted a couple of minor issues with the current parsing that I need to fix. Commits for those will follow shortly. I haven't yet found any reason not to allow LF as a line terminator but I am still reviewing the parsing code. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65272] Problems proccessing HTTP request without CR in last versions
https://bz.apache.org/bugzilla/show_bug.cgi?id=65272 --- Comment #4 from Miguel --- (In reply to Mark Thomas from comment #3) > This stricter parsing was introduced as part of the fix for CVE-2020-1935. > > Because the fix was in response to a security issue, that makes it a lot > less likely the current behaviour will be changed. > > I'll note that both RFC 7230 and RFC 2616 state that recipients MAY treat > single LR as a line terminator. That makes the behaviour entirely optional > and Tomcat is still fully HTTP spec compliant by opting to reject requests > that use LF as the line terminator. > > I need to look into the details of that vulnerability to see if there are > any options to relax the current behaviour without re-introducing a security > concern. Thank you for your work. Additional information: Now we see that the first version with problems are 9.0.31 (doesn't response) and with 9.0.33 the response is the reported originally. We wait for news. Regards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65272] Problems proccessing HTTP request without CR in last versions
https://bz.apache.org/bugzilla/show_bug.cgi?id=65272 --- Comment #3 from Mark Thomas --- This stricter parsing was introduced as part of the fix for CVE-2020-1935. Because the fix was in response to a security issue, that makes it a lot less likely the current behaviour will be changed. I'll note that both RFC 7230 and RFC 2616 state that recipients MAY treat single LR as a line terminator. That makes the behaviour entirely optional and Tomcat is still fully HTTP spec compliant by opting to reject requests that use LF as the line terminator. I need to look into the details of that vulnerability to see if there are any options to relax the current behaviour without re-introducing a security concern. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65272] Problems proccessing HTTP request without CR in last versions
https://bz.apache.org/bugzilla/show_bug.cgi?id=65272 --- Comment #2 from Miguel --- (In reply to Michael Osipov from comment #1) > How old are those systems? I haven't the data. But I see that HTTP request are 1.0 version... then is very old... We have some legacy systems. One of these is a SMS Center that we can't change. We are afraid because this problem can set our max Tomcat Version to 9.0.26 (I didn't try with all versions between 9.0.26 and 9.0.41). We know that http standard specify to separate the components of a HTTP request, but this new behaviour detected in last versions generate problems for us in some use cases. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65272] Problems proccessing HTTP request without CR in last versions
https://bz.apache.org/bugzilla/show_bug.cgi?id=65272 Michael Osipov changed: What|Removed |Added OS||All --- Comment #1 from Michael Osipov --- How old are those systems? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org