Re: Tomcat returning faulty "empty" header

[Mark Thomas]

12 Jul 2023 14:28:40 Lasse Lindqvist :


Hi. Every once in a while in automatic tests I see an error

Caused by: org.apache.http.ProtocolException: Invalid header: :
    at 
app//org.apache.http.impl.io.AbstractMessageParser.parseHeaders(AbstractMessageParser.java:230)
    at 
app//org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:266)
    at 
app//org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163)
    at 
app//org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:157)
    at 
app//org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273)
    at 
app//org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
    at 
app//org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272)
    at 
app//org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at 
app//org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at 
app//org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at 
app//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)


Meaning that the header contents would be just ": ", suggesting that
it has an empty key and empty value.

The service being called is a Spring Boot 2.7 application that has a
simple Controller with no custom header definitions.
It does return a response with
.contentType(MediaType.APPLICATION_OCTET_STREAM)

and body of StreamingResponseBody though.

I am wondering if this is something that might be on the Tomcat side,
or Spring side. But even if on Spring side, should Tomcat perhaps
prevent  the creation of these empty headers, as at least
Apache HTTP client considers them invalid and will not choose to ignore 
them.


Tomcat lets applications do stupid things on the basis that sometimes 
they need to to work around issues with broken clients.


Over time there has been a shift towards rejecting non spec compliant 
input but it hasn't reached the general response headers yet.


If you can ID the root cause we may be able to provide more specific 
feedback.


Mark




This reproduces relatively rarely, and by rerunning tests it normally
disappears, so I have not been able to catch the root issue.

Maybe it is related to
https://github.com/spring-projects/spring-security/issues/9175 and
fully a Spring issue even though my error is not exactly the same as> 
those in the Github issue?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat returning faulty "empty" header

[Ganesan, Prabu]

HI Team 


Could you please Provide steps for installion of tomcat 9.0 version. We are 
very new for it

Thanks & Regards,
_
PrabuGanesan
Consultant|MS-Nordics
capgemini India Pvt. Ltd. | Bangalore 
Contact: +91 8526554535
Email: prabhu.c.gane...@capgemini.com

www.capgemini.com
People matter, results count.
__
Connect with Capgemini:

 
Please consider the environment and do not print this email unless absolutely 
necessary.
Capgemini encourages environmental awareness.

-Original Message-
From: Lasse Lindqvist  
Sent: 12 July 2023 17:59
To: users@tomcat.apache.org
Subject: Tomcat returning faulty "empty" header

**This mail has been sent from an external source. Do not reply to it, or 
open any links/attachments unless you are sure of the sender's identity.**

Hi. Every once in a while in automatic tests I see an error

Caused by: org.apache.http.ProtocolException: Invalid header: :
at 
app//org.apache.http.impl.io.AbstractMessageParser.parseHeaders(AbstractMessageParser.java:230)
at 
app//org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:266)
at 
app//org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163)
at 
app//org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:157)
at 
app//org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273)
at 
app//org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
at 
app//org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272)
at 
app//org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at 
app//org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at 
app//org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at 
app//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)

Meaning that the header contents would be just ": ", suggesting that it has an 
empty key and empty value.

The service being called is a Spring Boot 2.7 application that has a simple 
Controller with no custom header definitions.
It does return a response with
.contentType(MediaType.APPLICATION_OCTET_STREAM)

and body of StreamingResponseBody though.

I am wondering if this is something that might be on the Tomcat side, or Spring 
side. But even if on Spring side, should Tomcat perhaps prevent  the creation 
of these empty headers, as at least Apache HTTP client considers them invalid 
and will not choose to ignore them.

This reproduces relatively rarely, and by rerunning tests it normally 
disappears, so I have not been able to catch the root issue.

Maybe it is related to
https://github.com/spring-projects/spring-security/issues/9175 and fully a 
Spring issue even though my error is not exactly the same as those in the 
Github issue?
This message contains information that may be privileged or confidential and is 
the property of the Capgemini Group. It is intended only for the person to whom 
it is addressed. If you are not the intended recipient, you are not authorized 
to read, print, retain, copy, disseminate, distribute, or use this message or 
any part thereof. If you receive this message in error, please notify the 
sender immediately and delete all copies of this message.