Skip to content

Disable tolerantEol by default for HTTP/1.1 header parsing #999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
UserB1ank wants to merge 1 commit into from
+13 −4
Closed

Disable tolerantEol by default for HTTP/1.1 header parsing #999

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion java/org/apache/coyote/http11/Http11InputBuffer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ public Http11InputBuffer(Request request, int headerBufferSize, HttpParser httpP
parsingRequestLineQPos = -1;

parsingHeader = true;
httpHeaderParser = new HttpHeaderParser(this, request.getMimeHeaders(), true);
httpHeaderParser = new HttpHeaderParser(this, request.getMimeHeaders(), false);

swallowInput = true;

Expand Down
6 changes: 5 additions & 1 deletion test/org/apache/coyote/http11/TestHttp11InputBuffer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,11 @@ public void testBug51557CtlInValue() throws Exception {
continue;
}
if (i == '\n') {
// LF is the optional line terminator
// LF is no longer accepted as a line terminator
// (tolerantEol is now false). Treat as invalid control char.
doTestBug51557InvalidCharInValue((char) i);
tearDown();
setUp();
continue;
}
doTestBug51557InvalidCharInValue((char) i);
Expand Down
9 changes: 7 additions & 2 deletions test/org/apache/coyote/http11/TestHttp11InputBufferCRLF.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,9 +81,14 @@ public static Collection<Object[]> parameters() {
"GET /test?a=<b HTTP/1.1" + CRLF + "Host: localhost:8080" + CRLF + "Connection: close" + CRLF + CRLF,
Boolean.FALSE, parameterSets);

// Standard HTTP/1.1 request using LF rather than CRLF
// Standard HTTP/1.1 request using LF rather than CRLF - reject for
// strict RFC 7230 compliance. While RFC 7230 Section 3.5 permits
// recipients to accept bare LF, accepting it by default creates a
// security risk (HTTP Header Injection / Request Smuggling) when
// Tomcat is deployed behind a reverse proxy that enforces strict
// CRLF parsing.
addRequestWithSplits("GET /test HTTP/1.1" + LF + "Host: localhost:8080" + LF + "Connection: close" + LF + LF,
parameterSets);
Boolean.FALSE, parameterSets);

// Invalid HTTP/1.1 request using CR rather than CRLF
addRequestWithSplits("GET /test HTTP/1.1" + CR + "Host: localhost:8080" + CR + "Connection: close" + CR + CR,
Expand Down