https://bz.apache.org/bugzilla/show_bug.cgi?id=64705
Bug ID: 64705
Summary: Host header differing from URL host is still allowed
(even when allowHostHeaderMismatch="false" in
Connector)
Product: Tomcat 9
Version: 9.0.37
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
I tried this with version 9.0.37 (Windows 10) and 9.0.33 (Windows Server 2016)
The documentation states:
"allowHostHeaderMismatch
By default Tomcat will reject requests that specify a host in the request line
but specify a different host in the host header. This check can be disabled by
setting this attribute to true. If not specified, the default is false."
I tried setting allowHostHeaderMismatch both to true and false, and also not
setting it at all.
I used Postman to send a GET request with a Host header differing from the URL
host.
The server always responds with HTTP 200, but the server should respond with
400.
Configuration:
<Connector port="14080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="14443" allowHostHeaderMismatch="false" />
The release log states this was fixed earlier:
Tomcat 9.0.0 (markt)
Implement the requirements of RFC 7230 that any HTTP/1.1 request that specifies
a host in the request line, must specify the same host in the Host header and
that any such request that does not, must be rejected with a 400 response. This
check is optional but enabled by default. It may be disabled with the
allowHostHeaderMismatch attribute of the Connector. (markt)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
