On 10/05/2016 22:00, Thomas Meyer wrote: > Hi, > > I noticed that I can block tomcat 8 by opening 200 connection to the > http 1.1 connector and send 512 bytes of zero in each connection. > > Tomcat 8 seems to block in parseRequestLine() method for 20 seconds > (connectionTimeout) and times out after that. > > The blocking seems to happen while waiting for the http method name.
Which connector are you using? > I looked up RFC 2616 and byte zero is as far as I understand not a > legal character for the http method name which are GET, PUT and so on > and extension token which is defined as token which is defined as all > characters excluding 0-31 and 127. > So why doesn't tomcat trash the connection when it detects an invalid > http method name? > > Is this behaviour just a super tolerant implementation? It looks like a very tolerant implementation. > > Bug or feature? I'm curious to know the background of this > behaviour/implementation! The background is it goes all the way back to 4.1.x. It may go back further but there was a big refactoring between 4.0.x and 4.1.x that was before my time so I never figured out my way around the 4.0.x code. Given that clients should not be sending non-token method values and such a value is probably indicative of an issue, detecting this and responding with a 400 is probably better than being tolerant. I'll take a look at a patch. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
