Re: [Bug 69325] Tomcat not allowing CRLF characters in Request headers
On 17/09/2024 04:44, manjosh ramesh wrote: Hi,ok, so this was a bug in older tomcat release and has been fixed in newer version, is it? Yes. Could you please share the bug id for this change? No. Not every fix is associated with a bug ID since not every issue is raised via the issue tracker. This is such an issue. You haven't been specific about which version worked and which one didn't although you do mention the issue appearing when you upgraded to 8.5.99. If I had to guess then I'd guess the change the uncovered the issue in your cookie header was the one that meant CRCRLF was rejected as a line terminator. That was in 8.5.82. I'll note that Tomcat 8.5.x reached end of life on 31 March 2024 and is no longer supported by the ASF. Extended support is available from various commercial entities for older versions of Tomcat. I would strongly recommend that anyone considering one of those options looks carefully at the provider's claims of Tomcat expertise. Or just upgrade to an ASF supported version. Because the older tomcat allows this type of request. Quite possibly. There has been a general tightening up of HTTP request parsing over time. Partly in response to reported security vulnerabilities, partly as a preventative measure against the possibility of future vulnerabilities. Also Our cookie is complient. We are not able to find what is not complient in our cookie. No, it isn't. CR (^M) is not a permitted character in an HTTP request header so your cookie header is not valid. It only works when we remove '^M' or '^M$' from the end of line in our cookie. As expected. Once you make the HTTP request specification complaint, Tomcat will accept it. Mark Regards,Manjosh Ramesh On Monday, September 16, 2024 at 09:37:22 AM GMT+5:30, wrote: https://bz.apache.org/bugzilla/show_bug.cgi?id=69325 Chuck Caldarale changed: What |Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID --- Comment #3 from Chuck Caldarale --- As previously stated, any further discussion must be on the Tomcat users' mailing list. Do not reopen this bugzilla entry. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 9.0.95 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.95. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.95 is a bugfix and feature release. The notable changes compared to 9.0.94 include: - Fix the regression in HTTP/2 support introduced in 9.0.94. Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: https://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Bug 69325] Tomcat not allowing CRLF characters in Request headers
Hi Mark, What is strange is that we are obtaining the cookie by triggering an HTTP request to a spring-boot application running on Tomcat. The same tomcat server adds '^M$' at the end of each line in the response. If we redirect this response to a file and use a cookie, Tomcat rejects it. Regards, Manjosh Ramesh On Tuesday, September 17, 2024 at 02:51:28 PM GMT+5:30, Mark Thomas wrote: On 17/09/2024 04:44, manjosh ramesh wrote: > > Hi,ok, so this was a bug in older tomcat release and has been fixed in newer >version, is it? Yes. > Could you please share the bug id for this change? No. Not every fix is associated with a bug ID since not every issue is raised via the issue tracker. This is such an issue. You haven't been specific about which version worked and which one didn't although you do mention the issue appearing when you upgraded to 8.5.99. If I had to guess then I'd guess the change the uncovered the issue in your cookie header was the one that meant CRCRLF was rejected as a line terminator. That was in 8.5.82. I'll note that Tomcat 8.5.x reached end of life on 31 March 2024 and is no longer supported by the ASF. Extended support is available from various commercial entities for older versions of Tomcat. I would strongly recommend that anyone considering one of those options looks carefully at the provider's claims of Tomcat expertise. Or just upgrade to an ASF supported version. > Because the older tomcat allows this type of request. Quite possibly. There has been a general tightening up of HTTP request parsing over time. Partly in response to reported security vulnerabilities, partly as a preventative measure against the possibility of future vulnerabilities. > Also Our cookie is complient. We are not able to find what is not complient > in our cookie. No, it isn't. CR (^M) is not a permitted character in an HTTP request header so your cookie header is not valid. > It only works when we remove '^M' or '^M$' from the end of line in our cookie. As expected. Once you make the HTTP request specification complaint, Tomcat will accept it. Mark > Regards,Manjosh Ramesh > > On Monday, September 16, 2024 at 09:37:22 AM GMT+5:30, > wrote: > > https://bz.apache.org/bugzilla/show_bug.cgi?id=69325 > > Chuck Caldarale changed: > > What |Removed |Added > > Status|UNCONFIRMED |RESOLVED > Resolution|--- |INVALID > > --- Comment #3 from Chuck Caldarale --- > As previously stated, any further discussion must be on the Tomcat users' > mailing list. Do not reopen this bugzilla entry. > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Bug 69325] Tomcat not allowing CRLF characters in Request headers
On 17/09/2024 13:46, manjosh ramesh wrote: Hi Mark, What is strange is that we are obtaining the cookie by triggering an HTTP request to a spring-boot application running on Tomcat. The same tomcat server adds '^M$' at the end of each line in the response. If we redirect this response to a file and use a cookie, Tomcat rejects it. HTTP headers use CRLF as a line terminator. If you write that "as-is" to a file you will end with with CRLF line terminators in that file. If you then read the file assuming the line terminator is LF then you will, effectively, insert the CR (^M) characters at the end of every line. You need to ensure that you read and write the file using the same line terminator. Mark Regards, Manjosh Ramesh On Tuesday, September 17, 2024 at 02:51:28 PM GMT+5:30, Mark Thomas wrote: On 17/09/2024 04:44, manjosh ramesh wrote: Hi,ok, so this was a bug in older tomcat release and has been fixed in newer version, is it? Yes. Could you please share the bug id for this change? No. Not every fix is associated with a bug ID since not every issue is raised via the issue tracker. This is such an issue. You haven't been specific about which version worked and which one didn't although you do mention the issue appearing when you upgraded to 8.5.99. If I had to guess then I'd guess the change the uncovered the issue in your cookie header was the one that meant CRCRLF was rejected as a line terminator. That was in 8.5.82. I'll note that Tomcat 8.5.x reached end of life on 31 March 2024 and is no longer supported by the ASF. Extended support is available from various commercial entities for older versions of Tomcat. I would strongly recommend that anyone considering one of those options looks carefully at the provider's claims of Tomcat expertise. Or just upgrade to an ASF supported version. Because the older tomcat allows this type of request. Quite possibly. There has been a general tightening up of HTTP request parsing over time. Partly in response to reported security vulnerabilities, partly as a preventative measure against the possibility of future vulnerabilities. Also Our cookie is complient. We are not able to find what is not complient in our cookie. No, it isn't. CR (^M) is not a permitted character in an HTTP request header so your cookie header is not valid. It only works when we remove '^M' or '^M$' from the end of line in our cookie. As expected. Once you make the HTTP request specification complaint, Tomcat will accept it. Mark Regards,Manjosh Ramesh On Monday, September 16, 2024 at 09:37:22 AM GMT+5:30, wrote: https://bz.apache.org/bugzilla/show_bug.cgi?id=69325 Chuck Caldarale changed: What |Removed |Added Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID --- Comment #3 from Chuck Caldarale --- As previously stated, any further discussion must be on the Tomcat users' mailing list. Do not reopen this bugzilla entry. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
