Am 2016-11-29 um 16:07 schrieb Mark Thomas:
On 29/11/2016 14:40, Christopher Schultz wrote:
Michael,
On 11/29/16 8:14 AM, Michael Osipov wrote:
Hi folks,
while investigating another possible patch for the RewriteValve, I
have noticed that Tomcat 8.5 does not validate the set status
code, everything ist possible, e.g., -99 or 1000. Scanning the code
I haven't found any validation or such upto
org.apache.coyote.http11.Http11OutputBuffer.sendStatus().
RFC 7230, section 3.1.2 defines the EBNF the status-code is defined
as 3DIGIT.
My question: is that an implementation error?
Not having checked Apache 2.4 yet, I know that mod_rewrite.c will
return an error if the status code is not between 100 and 900 [1].
I would say that in general validating the response code is probably
not worth it. If an application wants to use customized response
codes, they have plenty of codes already available but maybe they want
to use a higher-numbered code.
Are you suggesting that the behavior should be changed so that Tomcat
can enforce the HTTP specification even when an application uses it in
an out-of-spec way? Or were you thinking that there may be some deeper
issue that Tomcat can help solve?
Validating the response code would only take a little bit of time, and
usually response codes aren't set many times per request, so the
overhead would probably be minimal.
If it is validated at all for the RewriteValve, I'd do it once during
init rather than per request.
This is what I was about to do. My primary goal was to complete the
redirect rule where mod_rewrite.c rejects codes below 100 and 900 and
stops processing immediately if the code is not one of 3xx.
Is that desired or do you want to leave it that way?
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
