markt-asf commented on a change in pull request #325:
URL: https://github.com/apache/tomcat/pull/325#discussion_r468504398
##########
File path: java/org/apache/catalina/servlets/DefaultServlet.java
##########
@@ -2611,6 +2574,44 @@ private PrecompressedResource(WebResource resource,
CompressionFormat format) {
}
}
+ /**
+ * RFC 7232 requires weak comparison for If-None-Match
+ */
+ private boolean matchByEtagWeak(String headerValue, String eTag) {
+ // Match W/"1" and W/"1"
+ if (headerValue.contains(eTag)) {
Review comment:
Garbage in, garbage out is not an acceptable way to handle HTTP headers.
Failure to reject malformed HTTP headers from clients can lead to security
issues - typically request smuggling - when a proxy takes a different
approaching to allowing the invalid header to the back-end server although in
this instance the proxy would need to do something pretty unusual.
The right solution here is to implement RFC 7232 compliant parsing of
`entity-tag` in `org.apache.tomcat.util.http.parser`
Tomcat has been tightening up the parsing of HTTP headers over time,
generally improving things as parsing issues are raised with each header. It
appears that now is the time to address `entity-tag`. I also note that we
should make the use of weak comparison for `If-Match` configurable. Users that
extend the Default servlet to provide strong ETags (or use a custom resource
implementation) will almost certainly want to use a strong comparison here.
I'll start work on a suitable parser.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
