[Bug 65802] New: Invalid header name should be rejected in the HTTP server response

Fri, 14 Jan 2022 06:03:08 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65802

            Bug ID: 65802
           Summary: Invalid header name should be rejected in the HTTP
                    server response
           Product: Tomcat 9
           Version: 9.0.x
          Hardware: Macintosh
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: -----

Overview
========

Tomcat validates HTTP header names for incoming requests (returning a HTTP 400)
but allows to send a response containing illegal header names (either with
HTTP/1.1 or HTTP/2.0).


Context
=======

The HTTP 1.1 specification says
(https://datatracker.ietf.org/doc/html/rfc7230#appendix-B) (reordered) :
> header-field = field-name ":" OWS field-value OWS
> field-name = token
> token = 1*tchar
> tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
>  "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA

And also (https://datatracker.ietf.org/doc/html/rfc7230#section-3) : 
> A recipient MUST parse an HTTP message as a sequence of octets in an
> encoding that is a superset of US-ASCII [USASCII].

And then HTTP/2.0 RFC says
(https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2) : 
> Just as in HTTP/1.x, header field names are strings of ASCII
> characters that are compared in a case-insensitive fashion.  However,
> header field names MUST be converted to lowercase prior to their
> encoding in HTTP/2.


The issue
===============

Tomcat validates **incoming request** headers names(for both HTTP/1.1 and
HTTP/2.0), but does not validate **outgoing response** header names.
Instead of rejecting an illegal header name in the response, Tomcat will
silently corrupt the header.

For example : "😱: header-value"  becomes :  "? : header-value" (which is not
even a valid header name, according to the RFC extract)


Proposed solution
=================

Tomcat should reject such HTTP response, either during response object creation
or response sending.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to