https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
Bug ID: 62739
Summary: Tomcat should allow blank Host header
Product: Tomcat 7
Version: 7.0.90
Hardware: Macintosh
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: michaelomich...@gmail.com
Target Milestone: ---
Changes to request handling in 7.0.87 mean that sending an empty string for the
"Host" request header now results in a "400 Bad Request" response, even though
the request is legal.
This can be demonstrated by running the following command:
curl -XGET -v -I -H "Host: " "http://localhost:8080/RELEASE-NOTES.txt";
The request that is sent is:
GET /RELEASE-NOTES.txt HTTP/1.1
Host:
User-Agent: curl/7.54.0
Accept: */*
According to RFC 7230 (https://tools.ietf.org/html/rfc7230#section-5.4) it is
legal for the Host header to have an empty field value:
"If the authority component is missing or undefined for the target URI,
then a client MUST send a Host header field with an empty field-value."
While uncommon, I have come across such cases. For example, an F5 load
balancer wants to make an HTTP request to help determine whether or not a given
HTTP server is still 'alive', so it creates a TCP connection and then sends the
following text string:
GET /alive.html HTTP/1.1\r\nHost:\r\n\r\n
Changing this string so that the Host header is not blank would, of course, be
the easiest option, but it is not always possible to do, especially if the same
string is used for many disparate server types.
We should modify the code (AbstractHttp11Processor, I'm guessing?) to allow a
blank Host header value.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
