On Mon, Mar 23, 2020 at 2:01 PM Mark Thomas <ma...@apache.org> wrote:
> Hi, > > I am currently looking at the request line parsing. I'll try and set out > each issue in turn. > > End of line parsing > =================== > > Prior to the recent changes, Tomcat allowed CRLF or LF to mark the end > of a line. The unwanted side effect was that CR could appear in the > header value. This caused problems and was tightened up to only allow > CRLF as a line terminator. > > Currently Tomcat requires CRLF everywhere apart from the end of the > request line for a HTTP 0.9 request where it also allows LF. > > This requirement to accept just LF as a line terminator first emerged in > the W3C spec [1]. RFC 1945 [2] and RFC 2616 [3] retained this as a > recommendation for all line terminators, RFC 7230 [4] no longer includes > this recommendation. > > RFC 7230 also removes the expectation that a server that supports > HTTP/1.1 will support HTTP 0.9. > > Arguably the current spec for HTTP/0.9 is [3]. > > The Servlet spec references RFC 7230 and RFC 1945 so arguably HTTP/0.9 > support is expected. > > > SP vs whitespace > ================ > > Tomcat currently accepts any combination of SP and HTAB where RFC 7230 > calls for a single SP. This stems from a recommendation in RFC 2616 > which is no longer present in RFC 7230. > > > I think we have three options. > > 1. No changes. > CRLF is required everywhere apart from HTTP/0.9 where LF is also > accepted. > Any combination of SP/HTAB is accepted where SP is required. > > 2. Tighten up as per RFC 7230 > a) Require CRLF for all line endings > b) Require SP where specified > c) Drop HTTP/0.9 support > > 3. Relax the recent changes to allow CRLF or LF as a line terminator > everywhere without allowing CR to appear in a request header. > > I think we should follow 1) for Tomcat 7, 8 & 9. > > I'm leaning towards 1 for 10.0.x as well with a view to discussing 2 in > the Servlet project. i.e. explicitly dropping HTTP 0.9 support and the > "Tolerant applications" requirements of RFC 1945 for Jakarta EE 10 > (Tomcat 10.1.x). > > In short this means largely do nothing apart from may be adding a few > more tests to explicitly check behaviour for various edge cases. > > I'll note that the regressions reported with the recent change to > requiring CRLF as a line terminator caused issues with valid HTTP/0.9 > requests but that this should now be resolved. > > We have had one user issue reported where a custom client was using LFLF > as a line terminator and requests are now being rejected. Given that was > never valid, I'm OK with that. > > Thoughts? > > Mark > > > > [1] https://www.w3.org/Protocols/HTTP/AsImplemented.html > [2] https://tools.ietf.org/html/rfc1945 > [3] https://tools.ietf.org/html/rfc2616 > [4] https://tools.ietf.org/html/rfc7230 > > > > > > With all of the above in mind I propose: > > - Doing nothing! I think Tomcat is striking the right balance here. > > This means: > GET /CRLF -> processed as HTTP/0.9 > GET /LF -> processed as HTTP/0.9 > GET / CRLF -> processed as HTTP/1.1 and rejected as invalid > GET / LF -> processed as HTTP/1.1 and rejected as invalid > > I want to write some tests to check this is behaving as expected but I'm > not expecting any changes to the parsing at this point. > +1, that sounds really good ! Rémy > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
