On 26/05/2022 02:20, Ralph Atallah wrote:
Hi,
We use Tomcat 7.0.109 and Tomcat 8.5 in our Tomcat based webapp deployments and
we have a new requirement to prevent Host Header injection. The
allowHostHeaderMismatch option seems the perfect answer to this issue.
However, configuring it in our environment, i.e. in the server.xml connector
tag still does not seem to make it work.
Debugging the code, we see that the check for this setting is never even
reached in the
org.apache.coyote.http11.AbstractHttp11Processor.prepareRequest() method. The
reason is in the code snippet below:
ByteChunk uriBC = request.requestURI().getByteChunk();
byte[] uriB = uriBC.getBytes();
if (uriBC.startsWithIgnoreCase("http", 0)) {
...
if (allowHostHeaderMismatch) {
...
}
}
uriBC does not contain the full URL such as http://localhost:8080/myapp, but rather only
the /myapp path, so that if (uriBC.startsWithIgnoreCase("http", 0)) condition
is never met.
We are probably missing something very basic, and would really appreciate some
guidance.
I suspect that allowHostHeaderMismatch doesn't do what you think it does.
Exactly what problem are you trying to solve when so say you want to
prevent "Host header injection"?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
