Author: markt
Date: Fri Oct 5 10:38:52 2018
New Revision: 1842885
URL: http://svn.apache.org/viewvc?rev=1842885&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62739
Do not reject requests with an empty HTTP Host header. Such requests are
unusual but not invalid.
Patch provided by Michael Orr.
This closes #124.
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java?rev=1842885&r1=1842884&r2=1842885&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java Fri Oct
5 10:38:52 2018
@@ -203,6 +203,12 @@ public abstract class AbstractProcessor<
protected void parseHost(MessageBytes valueMB) {
if (valueMB == null || valueMB.isNull()) {
populateHost();
+ populatePort();
+ return;
+ } else if (valueMB.getLength() == 0) {
+ // Empty Host header so set sever name to empty string
+ request.serverName().setString("");
+ populatePort();
return;
}
@@ -266,9 +272,9 @@ public abstract class AbstractProcessor<
/**
- * Called when a host name is not present in the request (e.g. HTTP/1.0).
- * It populates the server name and port with appropriate information. The
- * source is expected to vary by protocol.
+ * Called when a host header is not present in the request (e.g. HTTP/1.0).
+ * It populates the server name with appropriate information. The source is
+ * expected to vary by protocol.
* <p>
* The default implementation is a NO-OP.
*/
@@ -276,6 +282,18 @@ public abstract class AbstractProcessor<
// NO-OP
}
+
+ /**
+ * Called when a host header is not present or is empty in the request
(e.g.
+ * HTTP/1.0). It populates the server port with appropriate information.
The
+ * source is expected to vary by protocol.
+ * <p>
+ * The default implementation is a NO-OP.
+ */
+ protected void populatePort() {
+ // NO-OP
+ }
+
@Override
public abstract boolean isUpgrade();
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java?rev=1842885&r1=1842884&r2=1842885&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java
Fri Oct 5 10:38:52 2018
@@ -985,13 +985,11 @@ public abstract class AbstractAjpProcess
/**
* {@inheritDoc}
* <p>
- * This implementation populates the server name and port from the local
- * name and port provided by the AJP message.
+ * This implementation populates the server name from the local name
+ * provided by the AJP message.
*/
@Override
protected void populateHost() {
- // No host information (HTTP/1.0)
- request.setServerPort(request.getLocalPort());
try {
request.serverName().duplicate(request.localName());
} catch (IOException e) {
@@ -1001,6 +999,19 @@ public abstract class AbstractAjpProcess
}
+ /**
+ * {@inheritDoc}
+ * <p>
+ * This implementation populates the server port from the local port
+ * provided by the AJP message.
+ */
+ @Override
+ protected void populatePort() {
+ // No host information (HTTP/1.0)
+ request.setServerPort(request.getLocalPort());
+ }
+
+
/**
* When committing the response, we have to validate the set of headers, as
* well as setup the response filters.
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1842885&r1=1842884&r2=1842885&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java
Fri Oct 5 10:38:52 2018
@@ -1739,21 +1739,24 @@ public abstract class AbstractHttp11Proc
protected abstract boolean prepareSendfile(OutputFilter[] outputFilters);
+
+ /*
+ * Note: populateHost() is not over-ridden.
+ * request.serverName() will be set to return the default host name
by
+ * the Mapper.
+ */
+
+
/**
* {@inheritDoc}
* <p>
- * This implementation provides the server name from the default host and
- * the server port from the local port.
+ * This implementation provides the server port from the local port.
*/
@Override
- protected void populateHost() {
- // No host information (HTTP/1.0)
+ protected void populatePort() {
// Ensure the local port field is populated before using it.
request.action(ActionCode.REQ_LOCALPORT_ATTRIBUTE, request);
request.setServerPort(request.getLocalPort());
-
- // request.serverName() will be set to the default host name by the
- // mapper
}
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1842885&r1=1842884&r2=1842885&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 5 10:38:52 2018
@@ -71,6 +71,15 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ <bug>62739</bug>: Do not reject requests with an empty HTTP Host
header.
+ Such requests are unusual but not invalid. Patch provided by Michael
+ Orr. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Jasper">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
