https://bz.apache.org/bugzilla/show_bug.cgi?id=64210
--- Comment #8 from Em Domingues <michael.doming...@gmail.com> --- (In reply to Michael Osipov from comment #7) > (In reply to Em Domingues from comment #6) > > I assume this was intentional, but in the event it wasn't, the combination > > of the patch for this issue and the previous "strict header value parsing" > > commit have resulted in Tomcat rejecting all requests that use a single LF > > as a delimiter between HTTP request lines as opposed to the correct > > delimiter of CRLF. > > > > Per RFC 2616 Section 19.3 (https://tools.ietf.org/html/rfc2616#section-19.3) > > it is recommended that applications be tolerant of malformed requests, with > > HTTP header delimiters called out as a particular area of note: > > > The line terminator for message-header fields is the sequence CRLF. > > > However, we recommend that applications, when parsing such headers, > > > recognize a single LF as a line terminator and ignore the leading CR. > > > > After deploying Tomcat 8.5.53 in our environment, we noticed that our > > hardware load balancers were sending malformed requests of the following > > format to perform host liveness checks against our app servers: > > GET /foo HTTP/1.0\nHost: host.example.com \nConnection: Close\r\n\r\n > > > > We are able to correct these requests (thankfully) but this behavior wasn't > > called out in the Tomcat release notes. It also represents a stricter > > interpretation of RFC 2616 than other major web server software, so I > > figured I'd at least flag it here. > > I can't find similar in https://tools.ietf.org/html/rfc7230#section-3.1.1 > > RFC 2616 is obsolete. I'm aware. This still runs counter to the robustness principle, no? For example, the implementation is inconsistent in where it errs on the side of being strict (here) and where it errs on the side of being tolerant (allowing multiple SP or HT between tokens) even when that's similarly against spec: https://github.com/apache/tomcat/blob/ae8c82eff96990878e79691819ae941538ee62fd/java/org/apache/coyote/http11/Http11InputBuffer.java#L404 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
