https://bz.apache.org/bugzilla/show_bug.cgi?id=64210
--- Comment #7 from Michael Osipov <micha...@apache.org> --- (In reply to Em Domingues from comment #6) > I assume this was intentional, but in the event it wasn't, the combination > of the patch for this issue and the previous "strict header value parsing" > commit have resulted in Tomcat rejecting all requests that use a single LF > as a delimiter between HTTP request lines as opposed to the correct > delimiter of CRLF. > > Per RFC 2616 Section 19.3 (https://tools.ietf.org/html/rfc2616#section-19.3) > it is recommended that applications be tolerant of malformed requests, with > HTTP header delimiters called out as a particular area of note: > > The line terminator for message-header fields is the sequence CRLF. > > However, we recommend that applications, when parsing such headers, > > recognize a single LF as a line terminator and ignore the leading CR. > > After deploying Tomcat 8.5.53 in our environment, we noticed that our > hardware load balancers were sending malformed requests of the following > format to perform host liveness checks against our app servers: > GET /foo HTTP/1.0\nHost: host.example.com \nConnection: Close\r\n\r\n > > We are able to correct these requests (thankfully) but this behavior wasn't > called out in the Tomcat release notes. It also represents a stricter > interpretation of RFC 2616 than other major web server software, so I > figured I'd at least flag it here. I can't find similar in https://tools.ietf.org/html/rfc7230#section-3.1.1 RFC 2616 is obsolete. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
