Stricter header value parsing

Author: markt-asf

java/org/apache/coyote/http11/AbstractHttp11Protocol.java

@@ -83,27 +83,56 @@ public void setAllowHostHeaderMismatch(boolean allowHostHeaderMismatch) {
     }
 
 
-    private boolean rejectIllegalHeaderName = false;
+    private boolean rejectIllegalHeader = false;
     /**
-     * If an HTTP request is received that contains an illegal header name (i.e.
-     * the header name is not a token) will the request be rejected (with a 400
-     * response) or will the illegal header be ignored.
+     * If an HTTP request is received that contains an illegal header name or
+     * value (e.g. the header name is not a token) will the request be rejected
+     * (with a 400 response) or will the illegal header be ignored?
      *
      * @return {@code true} if the request will be rejected or {@code false} if
      *         the header will be ignored
      */
-    public boolean getRejectIllegalHeaderName() { return rejectIllegalHeaderName; }
+    public boolean getRejectIllegalHeader() { return rejectIllegalHeader; }
     /**
-     * If an HTTP request is received that contains an illegal header name (i.e.
-     * the header name is not a token) should the request be rejected (with a
-     * 400 response) or should the illegal header be ignored.
+     * If an HTTP request is received that contains an illegal header name or
+     * value (e.g. the header name is not a token) should the request be
+     * rejected (with a 400 response) or should the illegal header be ignored?
+     *
+     * @param rejectIllegalHeader   {@code true} to reject requests with illegal
+     *                              header names or values, {@code false} to
+     *                              ignore the header
+     */
+    public void setRejectIllegalHeader(boolean rejectIllegalHeader) {
+        this.rejectIllegalHeader = rejectIllegalHeader;
+    }
+    /**
+     * If an HTTP request is received that contains an illegal header name or
+     * value (e.g. the header name is not a token) will the request be rejected
+     * (with a 400 response) or will the illegal header be ignored?
+     *
+     * @return {@code true} if the request will be rejected or {@code false} if
+     *         the header will be ignored
+     *
+     * @deprecated Now an alias for {@link #getRejectIllegalHeader()}. Will be
+     *             removed in Tomcat 10 onwards.
+     */
+    @Deprecated
+    public boolean getRejectIllegalHeaderName() { return rejectIllegalHeader; }
+    /**
+     * If an HTTP request is received that contains an illegal header name or
+     * value (e.g. the header name is not a token) should the request be
+     * rejected (with a 400 response) or should the illegal header be ignored?
      *
      * @param rejectIllegalHeaderName   {@code true} to reject requests with
-     *                                  illegal header names, {@code false} to
-     *                                  ignore the header
+     *                                  illegal header names or values,
+     *                                  {@code false} to ignore the header
+     *
+     * @deprecated Now an alias for {@link #setRejectIllegalHeader(boolean)}.
+     *             Will be removed in Tomcat 10 onwards.
      */
+    @Deprecated
     public void setRejectIllegalHeaderName(boolean rejectIllegalHeaderName) {
-        this.rejectIllegalHeaderName = rejectIllegalHeaderName;
+        this.rejectIllegalHeader = rejectIllegalHeaderName;
     }
 
 

java/org/apache/coyote/http11/AbstractInputBuffer.java

@@ -108,6 +108,11 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{
     protected int lastActiveFilter;
 
 
+    /**
+     * Do HTTP headers with illegal names and/or values cause the request to be
+     * rejected? Note that the field name is not quite right but cannot be
+     * easily changed without breaking binary compatibility.
+     */
     protected boolean rejectIllegalHeaderName;
 
 

java/org/apache/coyote/http11/Http11AprProcessor.java

@@ -61,7 +61,7 @@ protected Log getLog() {
     // ----------------------------------------------------------- Constructors
 
 
-    public Http11AprProcessor(int headerBufferSize, boolean rejectIllegalHeaderName,
+    public Http11AprProcessor(int headerBufferSize, boolean rejectIllegalHeader,
             AprEndpoint endpoint, int maxTrailerSize, Set<String> allowedTrailerHeaders,
             int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
             String relaxedQueryChars) {
@@ -70,7 +70,7 @@ public Http11AprProcessor(int headerBufferSize, boolean rejectIllegalHeaderName,
 
         httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
 
-        inputBuffer = new InternalAprInputBuffer(request, headerBufferSize, rejectIllegalHeaderName,
+        inputBuffer = new InternalAprInputBuffer(request, headerBufferSize, rejectIllegalHeader,
                 httpParser);
         request.setInputBuffer(inputBuffer);
 

java/org/apache/coyote/http11/Http11AprProtocol.java

@@ -299,7 +299,7 @@ protected void longPoll(SocketWrapper<Long> socket,
         @Override
         protected Http11AprProcessor createProcessor() {
             Http11AprProcessor processor = new Http11AprProcessor(
-                    proto.getMaxHttpHeaderSize(), proto.getRejectIllegalHeaderName(),
+                    proto.getMaxHttpHeaderSize(), proto.getRejectIllegalHeader(),
                     (AprEndpoint)proto.endpoint, proto.getMaxTrailerSize(),
                     proto.getAllowedTrailerHeadersAsSet(), proto.getMaxExtensionSize(),
                     proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),

java/org/apache/coyote/http11/Http11NioProcessor.java

@@ -66,7 +66,7 @@ protected Log getLog() {
     // ----------------------------------------------------------- Constructors
 
 
-    public Http11NioProcessor(int maxHttpHeaderSize, boolean rejectIllegalHeaderName,
+    public Http11NioProcessor(int maxHttpHeaderSize, boolean rejectIllegalHeader,
             NioEndpoint endpoint, int maxTrailerSize, Set<String> allowedTrailerHeaders,
             int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
             String relaxedQueryChars) {
@@ -76,7 +76,7 @@ public Http11NioProcessor(int maxHttpHeaderSize, boolean rejectIllegalHeaderName
         httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
 
         inputBuffer = new InternalNioInputBuffer(request, maxHttpHeaderSize,
-                rejectIllegalHeaderName, httpParser);
+                rejectIllegalHeader, httpParser);
         request.setInputBuffer(inputBuffer);
 
         outputBuffer = new InternalNioOutputBuffer(response, maxHttpHeaderSize);

java/org/apache/coyote/http11/Http11NioProtocol.java

@@ -264,7 +264,7 @@ protected void longPoll(SocketWrapper<NioChannel> socket,
         @Override
         public Http11NioProcessor createProcessor() {
             Http11NioProcessor processor = new Http11NioProcessor(
-                    proto.getMaxHttpHeaderSize(), proto.getRejectIllegalHeaderName(),
+                    proto.getMaxHttpHeaderSize(), proto.getRejectIllegalHeader(),
                     (NioEndpoint)proto.endpoint, proto.getMaxTrailerSize(),
                     proto.getAllowedTrailerHeadersAsSet(), proto.getMaxExtensionSize(),
                     proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),

java/org/apache/coyote/http11/Http11Processor.java

@@ -51,7 +51,7 @@ protected Log getLog() {
    // ------------------------------------------------------------ Constructor
 
 
-    public Http11Processor(int headerBufferSize, boolean rejectIllegalHeaderName,
+    public Http11Processor(int headerBufferSize, boolean rejectIllegalHeader,
             JIoEndpoint endpoint, int maxTrailerSize, Set<String> allowedTrailerHeaders,
             int maxExtensionSize, int maxSwallowSize, String relaxedPathChars,
             String relaxedQueryChars) {
@@ -60,7 +60,7 @@ public Http11Processor(int headerBufferSize, boolean rejectIllegalHeaderName,
 
         httpParser = new HttpParser(relaxedPathChars, relaxedQueryChars);
 
-        inputBuffer = new InternalInputBuffer(request, headerBufferSize, rejectIllegalHeaderName,
+        inputBuffer = new InternalInputBuffer(request, headerBufferSize, rejectIllegalHeader,
                 httpParser);
         request.setInputBuffer(inputBuffer);
 

java/org/apache/coyote/http11/Http11Protocol.java

@@ -163,7 +163,7 @@ protected void longPoll(SocketWrapper<Socket> socket,
         @Override
         protected Http11Processor createProcessor() {
             Http11Processor processor = new Http11Processor(
-                    proto.getMaxHttpHeaderSize(), proto.getRejectIllegalHeaderName(),
+                    proto.getMaxHttpHeaderSize(), proto.getRejectIllegalHeader(),
                     (JIoEndpoint)proto.endpoint, proto.getMaxTrailerSize(),
                     proto.getAllowedTrailerHeadersAsSet(), proto.getMaxExtensionSize(),
                     proto.getMaxSwallowSize(), proto.getRelaxedPathChars(),

java/org/apache/coyote/http11/InternalAprInputBuffer.java

@@ -52,7 +52,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer<Long> {
      * Alternate constructor.
      */
     public InternalAprInputBuffer(Request request, int headerBufferSize,
-            boolean rejectIllegalHeaderName, HttpParser httpParser) {
+            boolean rejectIllegalHeader, HttpParser httpParser) {
 
         this.request = request;
         headers = request.getMimeHeaders();
@@ -64,7 +64,7 @@ public InternalAprInputBuffer(Request request, int headerBufferSize,
             bbuf = ByteBuffer.allocateDirect((headerBufferSize / 1500 + 1) * 1500);
         }
 
-        this.rejectIllegalHeaderName = rejectIllegalHeaderName;
+        this.rejectIllegalHeaderName = rejectIllegalHeader;
         this.httpParser = httpParser;
 
         inputStreamInputBuffer = new SocketInputBuffer();
@@ -351,6 +351,8 @@ private boolean parseHeader()
         //
 
         byte chr = 0;
+        byte prevChr = 0;
+
         while (true) {
 
             // Read new bytes if needed
@@ -359,19 +361,23 @@ private boolean parseHeader()
                     throw new EOFException(sm.getString("iib.eof.error"));
             }
 
+            prevChr = chr;
             chr = buf[pos];
 
-            if (chr == Constants.CR) {
-                // Skip
-            } else if (chr == Constants.LF) {
-                pos++;
+            if (chr == Constants.CR && prevChr != Constants.CR) {
+                // Possible start of CRLF - process the next byte.
+            } else if (prevChr == Constants.CR && chr == Constants.LF) {
+                    pos++;
                 return false;
             } else {
+                if (prevChr == Constants.CR) {
+                    // Must have read two bytes (first was CR, second was not LF)
+                    pos--;
+                }
                 break;
             }
 
             pos++;
-
         }
 
         // Mark the current buffer position
@@ -456,10 +462,24 @@ private boolean parseHeader()
                         throw new EOFException(sm.getString("iib.eof.error"));
                 }
 
-                if (buf[pos] == Constants.CR) {
-                    // Skip
-                } else if (buf[pos] == Constants.LF) {
+                prevChr = chr;
+                chr = buf[pos];
+                if (chr == Constants.CR) {
+                    // Possible start of CRLF - process the next byte.
+                } else if (prevChr == Constants.CR && chr == Constants.LF) {
                     eol = true;
+                } else if (prevChr == Constants.CR) {
+                    // Invalid value
+                    // Delete the header (it will be the most recent one)
+                    headers.removeHeader(headers.size() - 1);
+                    skipLine(lineStart, start);
+                    return true;
+                } else if (chr != Constants.HT && HttpParser.isControl(chr)) {
+                    // Invalid value
+                    // Delete the header (it will be the most recent one)
+                    headers.removeHeader(headers.size() - 1);
+                    skipLine(lineStart, start);
+                    return true;
                 } else if (buf[pos] == Constants.SP) {
                     buf[realPos] = buf[pos];
                     realPos++;
@@ -512,6 +532,9 @@ private void skipLine(int lineStart, int start) throws IOException {
             lastRealByte = pos - 1;
         }
 
+        byte chr = 0;
+        byte prevChr = 0;
+
         while (!eol) {
 
             // Read new bytes if needed
@@ -520,9 +543,12 @@ private void skipLine(int lineStart, int start) throws IOException {
                     throw new EOFException(sm.getString("iib.eof.error"));
             }
 
-            if (buf[pos] == Constants.CR) {
+            prevChr = chr;
+            chr = buf[pos];
+
+            if (chr == Constants.CR) {
                 // Skip
-            } else if (buf[pos] == Constants.LF) {
+            } else if (prevChr == Constants.CR && chr == Constants.LF) {
                 eol = true;
             } else {
                 lastRealByte = pos;

java/org/apache/coyote/http11/InternalInputBuffer.java

@@ -53,14 +53,14 @@ public class InternalInputBuffer extends AbstractInputBuffer<Socket> {
      * Default constructor.
      */
     public InternalInputBuffer(Request request, int headerBufferSize,
-            boolean rejectIllegalHeaderName, HttpParser httpParser) {
+            boolean rejectIllegalHeader, HttpParser httpParser) {
 
         this.request = request;
         headers = request.getMimeHeaders();
 
         buf = new byte[headerBufferSize];
 
-        this.rejectIllegalHeaderName = rejectIllegalHeaderName;
+        this.rejectIllegalHeaderName = rejectIllegalHeader;
         this.httpParser = httpParser;
 
         inputStreamInputBuffer = new InputStreamInputBuffer();
@@ -303,6 +303,8 @@ private boolean parseHeader()
         //
 
         byte chr = 0;
+        byte prevChr = 0;
+
         while (true) {
 
             // Read new bytes if needed
@@ -311,19 +313,23 @@ private boolean parseHeader()
                     throw new EOFException(sm.getString("iib.eof.error"));
             }
 
+            prevChr = chr;
             chr = buf[pos];
 
-            if (chr == Constants.CR) {
-                // Skip
-            } else if (chr == Constants.LF) {
+            if (chr == Constants.CR && prevChr != Constants.CR) {
+                // Possible start of CRLF - process the next byte.
+            } else if (prevChr == Constants.CR && chr == Constants.LF) {
                 pos++;
                 return false;
             } else {
+                if (prevChr == Constants.CR) {
+                    // Must have read two bytes (first was CR, second was not LF)
+                    pos--;
+                }
                 break;
             }
 
             pos++;
-
         }
 
         // Mark the current buffer position
@@ -409,15 +415,29 @@ private boolean parseHeader()
                         throw new EOFException(sm.getString("iib.eof.error"));
                 }
 
-                if (buf[pos] == Constants.CR) {
-                    // Skip
-                } else if (buf[pos] == Constants.LF) {
+                prevChr = chr;
+                chr = buf[pos];
+                if (chr == Constants.CR) {
+                    // Possible start of CRLF - process the next byte.
+                } else if (prevChr == Constants.CR && chr == Constants.LF) {
                     eol = true;
-                } else if (buf[pos] == Constants.SP) {
-                    buf[realPos] = buf[pos];
+                } else if (prevChr == Constants.CR) {
+                    // Invalid value
+                    // Delete the header (it will be the most recent one)
+                    headers.removeHeader(headers.size() - 1);
+                    skipLine(lineStart, start);
+                    return true;
+                } else if (chr != Constants.HT && HttpParser.isControl(chr)) {
+                    // Invalid value
+                    // Delete the header (it will be the most recent one)
+                    headers.removeHeader(headers.size() - 1);
+                    skipLine(lineStart, start);
+                    return true;
+                } else if (chr == Constants.SP) {
+                    buf[realPos] = chr;
                     realPos++;
                 } else {
-                    buf[realPos] = buf[pos];
+                    buf[realPos] = chr;
                     realPos++;
                     lastSignificantChar = realPos;
                 }
@@ -483,6 +503,9 @@ private void skipLine(int lineStart, int start) throws IOException {
             lastRealByte = pos - 1;
         }
 
+        byte chr = 0;
+        byte prevChr = 0;
+
         while (!eol) {
 
             // Read new bytes if needed
@@ -491,9 +514,12 @@ private void skipLine(int lineStart, int start) throws IOException {
                     throw new EOFException(sm.getString("iib.eof.error"));
             }
 
-            if (buf[pos] == Constants.CR) {
+            prevChr = chr;
+            chr = buf[pos];
+
+            if (chr == Constants.CR) {
                 // Skip
-            } else if (buf[pos] == Constants.LF) {
+            } else if (prevChr == Constants.CR && chr == Constants.LF) {
                 eol = true;
             } else {
                 lastRealByte = pos;