Re: Strict Host Header validation since Tomcat 7.0.87

On 30/05/18 10:00, Sven Buesing wrote: > Hello everyone, > Hello Mark, > > @markt: as this change is from you, I've added you in cc. Please let me know > if you're fine with this. No, I am not. Please do not send direct mail to Tomcat committers. If you have a Tomcat related question, it

Strict Host Header validation since Tomcat 7.0.87

Hello everyone, Hello Mark, @markt: as this change is from you, I've added you in cc. Please let me know if you're fine with this. Since Tomcat 7.0.87 Coyote has added a validation check for Host-Headers. The validation seems to expect that a host header is always a FQDN. But in common DNS

Re: Host header validation

ems pretty stable and in use. > That said, I'm not interested in particular in IPvFuture implementation - I > thought it would help me getting to know Tomcat better - if there's > anything else that is more important/urgent and is suitable for someone new > to Tomcat, please share s

Re: Host header validation

d in particular in IPvFuture implementation - I thought it would help me getting to know Tomcat better - if there's anything else that is more important/urgent and is suitable for someone new to Tomcat, please share some pointers. I don't see this as task assignment but more as providing the c

Re: Host header validation

get started but that shouldn't be see as assigning areas to work on. Other possibilities are: - performance improvements for the Host header validation - improving code coverage generally for any of the HTTP parsing code - any that attracts your interest I'm looking at the code coverage

Re: Host header validation

I can prepare a patch. Other possibilities are: > > - performance improvements for the Host header validation > > - improving code coverage generally for any of the HTTP parsing code > > - any that attracts your interest I'm looking at the code coverage and will take a look at hos

Re: Host header validation

On 31/03/17 14:41, Mark Thomas wrote: > On 31/03/17 09:43, Katya Todorova wrote: >> I've created a separate pull request for leading zeros issue since I think >> it requires additional discussion whether to be submitted or not. Although >> this fix honors the specification, it leads to

Re: Host header validation

: http://markmail.org/message/vp5voob7elspflax Other possibilities are: - performance improvements for the Host header validation - improving code coverage generally for any of the HTTP parsing code - any that attracts your interest Kind regards, Mark --

Re: Host header validation

> You can either create a pull request on github or create a Bugzilla > issue and attach a patch. > Mark > I've created a separate pull request for leading zeros issue since I think it requires additional discussion whether to be submitted or not. Although this fix honors the specification, it

Re: Host header validation

On 29/03/17 15:16, Katya Todorova wrote: >> >> I recommend using the code coverage reports as a guide. >> >> https://ci.apache.org/projects/tomcat/tomcat9/coverage/ > > >> >> and add test cases if they increase code coverage. Hmm. It looks like >> there is some low hanging fruit in the parsing

Re: Host header validation

> > I recommend using the code coverage reports as a guide. > > https://ci.apache.org/projects/tomcat/tomcat9/coverage/ > > and add test cases if they increase code coverage. Hmm. It looks like > there is some low hanging fruit in the parsing code to improve coverage. > > You can run the tests

Re: Host header validation

On 29/03/17 07:06, Katya Todorova wrote: > On Tue, Mar 28, 2017 at 5:45 PM, Mark Thomas <ma...@apache.org> wrote: > >> On 28/03/17 15:23, Katya Todorova wrote: >>> Hi, >>>> r1787662 adds Host header validation along with a fair number of unit >> tes

Re: Host header validation

On Tue, Mar 28, 2017 at 5:45 PM, Mark Thomas <ma...@apache.org> wrote: > On 28/03/17 15:23, Katya Todorova wrote: > > Hi, > >> r1787662 adds Host header validation along with a fair number of unit > tests. > >> It includes a performance test whic

Re: Host header validation

On Tue, Mar 28, 2017 at 5:45 PM, Mark Thomas <ma...@apache.org> wrote: > On 28/03/17 15:23, Katya Todorova wrote: > > Hi, > >> r1787662 adds Host header validation along with a fair number of unit > tests. > >> It includes a performance test whic

Re: Host header validation

On 28/03/17 15:23, Katya Todorova wrote: > Hi, >> r1787662 adds Host header validation along with a fair number of unit tests. >> It includes a performance test which indicates - on my machine at least >> - that the performance impact is in the noise. I'd like to see better &g

Re: Host header validation

Hi, > r1787662 adds Host header validation along with a fair number of unit tests. > It includes a performance test which indicates - on my machine at least > - that the performance impact is in the noise. I'd like to see better > performance for full IPv6 addresses but the curren

Re: Host header validation

On 22/03/17 14:13, Konstantin Kolinko wrote: > 2017-03-21 18:01 GMT+03:00 Mark Thomas : >> On 21 March 2017 14:14:19 GMT+00:00, Christopher Schultz >> wrote: >>> >>> How about an option to disable the validity-checking, in case someone >>> in the

Re: Host header validation

2017-03-21 18:01 GMT+03:00 Mark Thomas : > On 21 March 2017 14:14:19 GMT+00:00, Christopher Schultz > wrote: >> >>How about an option to disable the validity-checking, in case someone >>in the field finds a case they need to support, or if they

Re: Host header validation

On 21 March 2017 14:14:19 GMT+00:00, Christopher Schultz <ch...@christopherschultz.net> wrote: >Mark, > >On 3/19/17 4:55 PM, Mark Thomas wrote: >> Hi, >> >> r1787662 adds Host header validation along with a fair number of >> unit tests. >> >

Re: Host header validation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 3/19/17 4:55 PM, Mark Thomas wrote: > Hi, > > r1787662 adds Host header validation along with a fair number of > unit tests. > > It includes a performance test which indicates - on my machine at > least - that t

Host header validation

Hi, r1787662 adds Host header validation along with a fair number of unit tests. It includes a performance test which indicates - on my machine at least - that the performance impact is in the noise. I'd like to see better performance for full IPv6 addresses but the current code looks