https://bz.apache.org/bugzilla/show_bug.cgi?id=65802
--- Comment #7 from Nils R <renaud.n...@gmail.com> --- To add to that point, I found out another reason to push this issue forward. The HTTP/2.0 RFC (https://datatracker.ietf.org/doc/html/rfc7540#section-10.3) says in the "Intermediary Encapsulation Attack" section : > The HTTP/2 header field encoding allows the expression of names that > are not valid field names in the Internet Message Syntax used by > HTTP/1.1. Requests or responses containing invalid header field > names MUST be treated as malformed (Section 8.1.2.6). An > intermediary therefore cannot translate an HTTP/2 request or response > containing an invalid field name into an HTTP/1.1 message. So it seems, that there is a security consideration to reject such header names. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
