On 11/12/2023 17:08, David Cleary wrote:
Just want to check if this is by design. The above property default was changed
to better secure the default configuration. We started having some tests fail
due to this.
In our scenario ( as shown below ), the Host header value in the HTTP request
is case-sensitive difference compared to the Request Line, and it's crucial
that Tomcat, our web server, does not block or reject requests based on
variations in the letter case within this header.
Request Line: GET http://HZN-OE-A079:8080 HTTP/1.1
Host header: hzn-oe-a079:8080
Just want to confirm that this property, now with a default of false, is
supposed to reject requests based on the case of the host name.
David,
Host names are case insensitive so I can see the argument for making
this comparison in a case insensitive manner.
However, the language in RFC 9112, section 3.2 is:
A client MUST send a Host header field (Section 7.2 of [HTTP]) in all
HTTP/1.1 request messages. If the target URI includes an authority
component, then a client MUST send a field value for Host that is
identical to that authority component, excluding any userinfo
subcomponent and its "@" delimiter (Section 4.2 of [HTTP]).
The key word for me in the above is identical.
We probably need to go back to the HTTP working group and clarify
whether then intention was for that "identical" to be in a case
sensitive or insensitive manner.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
