[tomcat] branch 8.5.x updated: Align with 9.0.x onwards - harden the default HTTP configuration

Tue, 02 May 2023 06:28:56 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new a1efd94f75 Align with 9.0.x onwards - harden the default HTTP 
configuration
a1efd94f75 is described below

commit a1efd94f7506d0bf113a0c225ad6f3fb9af08307
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue May 2 14:28:43 2023 +0100

    Align with 9.0.x onwards - harden the default HTTP configuration
---
 java/org/apache/coyote/http11/AbstractHttp11Protocol.java | 2 +-
 webapps/docs/changelog.xml                                | 6 ++++++
 webapps/docs/config/http.xml                              | 3 +--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java 
b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
index c4e4fcf218..2b1d75b124 100644
--- a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
+++ b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
@@ -195,7 +195,7 @@ public abstract class AbstractHttp11Protocol<S> extends 
AbstractProtocol<S> {
     }
 
 
-    private boolean rejectIllegalHeader = false;
+    private boolean rejectIllegalHeader = true;
 
     /**
      * If an HTTP request is received that contains an illegal header name or 
value (e.g. the header name is not a
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ebf9552cb6..6f989bdd51 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -148,6 +148,12 @@
         <code>true</code> to <code>false</code> to harden the default
         configuration. (markt)
       </scode>
+      <scode>
+        The default for the HTTP Connector attribute
+        <code>rejectIllegalHeader</code> has been changed from
+        <code>false</code> to <code>true</code> to harden the default
+        configuration. (markt)
+      </scode>
     </changelog>
   </subsection>
   <subsection name="Jasper">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 429c04f485..11f660d6cc 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -632,8 +632,7 @@
       value (e.g. the header name is not a token) this setting determines if 
the
       request will be rejected with a 400 response (<code>true</code>) or if 
the
       illegal header be ignored (<code>false</code>). The default value is
-      <code>false</code> which will cause the request to be processed but the
-      illegal header will be ignored.</p>
+      <code>true</code> which will cause the request to be rejected.</p>
     </attribute>
 
     <attribute name="rejectIllegalHeaderName" required="false">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to