[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #13 from Mark Thomas --- See bug 66512 for the AJP aspect of this. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 Mark Thomas changed: What|Removed |Added Resolution|FIXED |--- Status|RESOLVED|REOPENED --- Comment #12 from Mark Thomas --- Re-opening for visibility -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 --- Comment #11 from gabriel.holl...@appian.com --- Looking over the thread here, it sounded like the path forward was to log, and potentially drop the header for Http1.1 However that same change wasnt done for the AJP Processor, causing invalid headers to suddenly break upon tomcat upgrade (discover in our 8.5.x usage) java.lang.IllegalArgumentException: The Unicode character [–] at code point [8,211] cannot be encoded as it is outside the permitted range of 0 to 255 at org.apache.tomcat.util.buf.MessageBytes.toBytesSimple(MessageBytes.java:290) at org.apache.tomcat.util.buf.MessageBytes.toBytes(MessageBytes.java:261) at org.apache.coyote.ajp.AjpMessage.appendBytes(AjpMessage.java:172) at org.apache.coyote.ajp.AjpProcessor.prepareResponse(AjpProcessor.java:1121) at org.apache.coyote.ajp.AjpProcessor$SocketOutputBuffer.doWrite(AjpProcessor.java:1511) at org.apache.coyote.Response.doWrite(Response.java:602) at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:356) at org.apache.catalina.connector.OutputBuffer.flushByteBuffer(OutputBuffer.java:846) at org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:470) at org.apache.catalina.connector.OutputBuffer.flushCharBuffer(OutputBuffer.java:851) at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:250) at org.apache.catalina.connector.CoyoteWriter.close(CoyoteWriter.java:107) Is there any chance the same handling for HTTP 1.1 could apply to AJP? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 --- Comment #10 from Julian Reschke --- > And then there is RFC 8187 that I don't think I have ever seen in real world > usage. Content-Disposition. Trust me. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #9 from Mark Thomas --- Back-ported to: - 9.0.x for 9.0.71 onwards - 8.5.x for 8.5.85 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 Mark Thomas changed: What|Removed |Added CC||renaud.n...@gmail.com --- Comment #8 from Mark Thomas --- *** Bug 65802 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 --- Comment #7 from Mark Thomas --- The first approved release with this change was 10.1.0. My current thinking is to allow another 2 to 3 releases before back-porting. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 --- Comment #6 from ttera --- When will it be backported to v8.5, 9 and 10.0? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 --- Comment #5 from Mark Thomas --- Fixed in 10.1.x for 10.1.0-M18 onwards I intend to delay back-porting for a few releases in case the changes to MessageBytes triggers regressions. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 --- Comment #4 from Boris Petrov --- Logging a warning (or even logging at the ERROR level) sounds great to me. Everyone should be monitoring their logs for warnings and errors so this should be visible to most. And would save people time as they won't have to debug to try to figure out what their problem is. Thanks! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 Mark Thomas changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #3 from Mark Thomas --- Generally, Tomcat doesn't validate response headers unless it needs to process them for some reason. Applications are expected to set valid data. This also gives applications the flexibility to bend (or even break) the HTTP specs which can sometimes be useful when dealing with clients that don't follow the specs. HTTP headers values are not restricted to US-ASCII. Many - including ETag - allow obs-text which is bytes in the range 0x80 to 0xFF. That said, RFC 9110 has a strong preference for US-ASCII. I suspect that requirement may get stronger over time. To add to the "fun" some cookies - despite RFC 6265 and the HTTP RFCs - have been observed to use UTF-8 values. And then there is RFC 8187 that I don't think I have ever seen in real world usage. So, in short, things are not at all clear cut. For HTTP/2, it will depend whether the implementation decides to use Huffman encoding or not. The specification doesn't define when to use Huffman and when not. You could argue that this imposes a requirement that the characters in header names and values must fall in the range 0x00 to 0xFF (other requirements limit this further). Which is stricter than HTTP/1.1. My thinking at this point was whether or not it was practical to add a similar limit to HTTP/1.1. Reviewing the code, I think it is. Only cookie headers are treated as UTF-8. All other headers are treated as ISO-8859-1. If you try passing in a String that uses characters above code point 255, they will get corrupted. On that basis, I think it is better to trigger an error early rather than passing corrupted data to the client. Triggering an error in the form of an exception problematic. Applications that appear to work at the moment would start failing once this change was applied. I think a reasonable compromise for HTTP/1.1 would be to log a warning (including the problematic String) and ignore the header. Thoughts? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 --- Comment #2 from Boris Petrov --- Well, in my case it was the `ETag` header but I believe it's illegal to send non-ASCII characters in any header. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66196] HTTP/1 connector doesn't blow-up when HTTP header contains non-ASCII characters
https://bz.apache.org/bugzilla/show_bug.cgi?id=66196 Mark Thomas changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #1 from Mark Thomas --- Which header was this? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org