Disable tolerantEol by default for HTTP/1.1 header parsing#999
Closed
UserB1ank wants to merge 1 commit into
Closed
Disable tolerantEol by default for HTTP/1.1 header parsing#999UserB1ank wants to merge 1 commit into
UserB1ank wants to merge 1 commit into
Conversation
Change Http11InputBuffer to construct HttpHeaderParser with tolerantEol=false instead of true, requiring strict CRLF line endings in HTTP headers per RFC 7230. While RFC 7230 Section 3.5 permits recipients to accept bare LF as a line terminator, doing so by default creates a security risk when Tomcat is deployed behind a reverse proxy (nginx, AWS ALB, Cloudflare, etc.) that enforces strict CRLF parsing. In this common deployment topology, the proxy and Tomcat interpret the same raw bytes differently: the proxy sees one header value (containing the bare LF), while Tomcat's tolerantEol=true parses the bare LF as a header separator, splitting it into two headers. This semantic discrepancy enables: - HTTP Header Injection via bare LF in header values - Trust header forgery (X-Forwarded-For, X-Real-IP, etc.) - Potential HTTP Request Smuggling with strict-CRLF proxies This change only affects header parsing. Request line parsing in Http11InputBuffer.parseRequestLine() accepts bare LF independently (for HTTP/1.0 compatibility) and is not affected. Trailer headers in ChunkedInputFilter already use tolerantEol=false and are not affected. Impact: Non-conforming clients that send bare LF in headers will receive a 400 response. Modern clients and proxies all use CRLF. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
|
This PR and, more specifically, the false claims that there is security risk in accepting a bare LF as a line terminator is hereby rejected. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change Http11InputBuffer to construct HttpHeaderParser with tolerantEol=false instead of true, requiring strict CRLF line endings in HTTP headers per RFC 7230.
While RFC 7230 Section 3.5 permits recipients to accept bare LF as a line terminator, doing so by default creates a security risk when Tomcat is deployed behind a reverse proxy (nginx, AWS ALB, Cloudflare, etc.) that enforces strict CRLF parsing.
In this common deployment topology, the proxy and Tomcat interpret the same raw bytes differently: the proxy sees one header value (containing the bare LF), while Tomcat's tolerantEol=true parses the bare LF as a header separator, splitting it into two headers. This semantic discrepancy enables:
This change only affects header parsing. Request line parsing in Http11InputBuffer.parseRequestLine() accepts bare LF independently (for HTTP/1.0 compatibility) and is not affected.
Trailer headers in ChunkedInputFilter already use
tolerantEol=false and are not affected.
Impact: Non-conforming clients that send bare LF in headers will receive a 400 response. Modern clients and proxies all use CRLF.