On 13/03/2020 11:37, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git repository. > > markt pushed a commit to branch master > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/master by this push: > new 07aabd5 Add a check that the URIEncoding is a superset of US-ASCII. > 07aabd5 is described below > > commit 07aabd553de3af3744b16014765e32d2d276a140 > Author: Mark Thomas <ma...@apache.org> > AuthorDate: Fri Mar 13 11:36:54 2020 +0000 > > Add a check that the URIEncoding is a superset of US-ASCII. > > This is a requirement of RFC7230, section 3.
This really needs to be back-ported. Some improvements in handing of edge cases in URIs depends on it. The question is how strict do we want to be with older versions? Options are: a) ignore, log a warning and use the default (what Tomcat 10 now does) b) same as a) by default but with an option to switch to c) c) log a warning but use the requested encoding Past experience suggests there will be users, somewhere, using inappropriate encodings. RFC 7230 references potential security vulnerabilities of inappropriate encodings (I'd expect request smuggling and/or header injection). I'm thinking c) log a warning for a couple of releases then switch to a). Possibly switching 8.5.x a couple of releases after we switch 9.0.x and 7.0.x a couple of releases after 8.5.x (if at all given the EOL announcement). I'd prefer to avoid b) and yet another configuration option. Thoughts? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
