On 15/12/2023 14:48, Christopher Schultz wrote:
Do we need to argue over encoding and/or rules of
case-insensitive-matching?
Could we? Probably. Do we need to? Unlikely.
My expectation is that most clients aren't even including the host in
the request line these days.
Non-ASCII hostnames are allowed these days. Depending upon when this
comparison is done, the strings may or may not have been normalized.
Case-normalization can be expensive if you want to be as encoding,
language, etc. agnostic as possible.
Yes this is a theoretical risk but one I don't expect to materialize. My
expectation is that clients new enough to use non-ascii host names also
don't put the header in the request line or if they do, they make sure
it matches the Host header.
Perhaps we could perform a byte-wise comparison first (which is very
likely to succeed quickly) and, if that fails, fall-back to a more
thorough normalization/comparison?
That is probably the way to go if we decide in the future that we do
need to do the normalization first. In which case I'd lean more towards
using toString() and then getting Java to do the comparison.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
