[tomcat] branch 8.5.x updated: Align with 9.0.x onwards - harden the default HTTP configuration

Tue, 02 May 2023 06:26:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 4bbfd89dab Align with 9.0.x onwards - harden the default HTTP 
configuration
4bbfd89dab is described below

commit 4bbfd89dab9e62d77d7fd968a3c15b86ff364e62
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 2 14:25:58 2023 +0100

    Align with 9.0.x onwards - harden the default HTTP configuration
---
 java/org/apache/coyote/http11/AbstractHttp11Protocol.java | 2 +-
 webapps/docs/changelog.xml                                | 6 ++++++
 webapps/docs/config/http.xml                              | 6 +++---
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java 
b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
index a337f07234..c4e4fcf218 100644
--- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
+++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
@@ -172,7 +172,7 @@ public abstract class AbstractHttp11Protocol<S> extends 
AbstractProtocol<S> {
     }
 
 
-    private boolean allowHostHeaderMismatch = true;
+    private boolean allowHostHeaderMismatch = false;
 
     /**
      * Will Tomcat accept an HTTP 1.1 request where the host header does not 
agree with the host specified (if any) in
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5e851fbde2..ebf9552cb6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -142,6 +142,12 @@
         Add support for a new character set, <code>gb18030-2022</code> -
         introduced in Java 21, to the character set caching mechanism. (markt)
       </add>
+      <scode>
+        The default for the HTTP Connector attribute
+        <code>allowHostHeaderMismatch</code> has been changed from
+        <code>true</code> to <code>false</code> to harden the default
+        configuration. (markt)
+      </scode>
     </changelog>
   </subsection>
   <subsection name="Jasper">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 30f032ab80..429c04f485 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -342,10 +342,10 @@
     </attribute>
 
     <attribute name="allowHostHeaderMismatch" required="false">
-      <p>By default Tomcat will allow requests that specify a host in the
+      <p>By default Tomcat will reject requests that specify a host in the
       request line but specify a different host in the host header. This
-      check can be enabled by setting this attribute to <code>false</code>. If
-      not specified, the default is <code>true</code>.</p>
+      check can be disabled by setting this attribute to <code>true</code>. If
+      not specified, the default is <code>false</code>.</p>
     </attribute>
 
     <attribute name="allowedTrailerHeaders" required="false">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to