On 18/09/17 20:33, ma...@apache.org wrote: > Author: markt > Date: Mon Sep 18 19:33:18 2017 > New Revision: 1808766 > > URL: http://svn.apache.org/viewvc?rev=1808766&view=rev > Log: > Implement various Host header checks required by RFC 7230
Before I go any further with this work (I want to plug in the Host name parser I wrote ~6 months ago) I wanted to get some feedback on these checks. > - Host header must be present for HTTP/1.1 requests > - multiple host headers are invalid The new Tomcat behaviour (reject with 400) is consistent with httpd for the above 2 tests. > - if the request line include the host, it must match the host header This goes further than httpd does (at the moment). Note RFC 2616 says in this case the request line takes precedence (which is what httpd does) and the old Tomcat code did. RFC 7230 says they must match. I'm wondering which, if any, of the above tests we might want to make optional in 9.0.x. I'm less concerned about the first 2 tests since the behaviour is consistent with httpd. I am wondering about making the 3rd test optional but enabled by default for 9.0.x. When the test is disabled, the request line value would take precedence as it did before this fix. I'm also thinking about the same questions for 8.5.x, 8.0.x and 7.0.x. My current thinking is as 9.0.x but change the default for the 3rd test to disabled. Thoughts? Comments? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org