tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48839] New: Header folding fails in NIO connector
Date Tue, 02 Mar 2010 08:05:18 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48839

           Summary: Header folding fails in NIO connector
           Product: Tomcat 6
           Version: 6.0.20
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: richa.baronia@hcl.in


Overview : HTTP request having one of its header folded send to NIO connctor
fails with 400 bad request.

Steps to Reproduce:
1) Send an HTTP request having a header whoes value is folded (example :
Add an HTTP header TestHeader  with value = "abcd" +"\r\n\t"+"efgh"
to a server which is using Java Nio Blocking Connector  Http11NioProtocol 

Expected Result : Request should be handled successfully

Actual Result   : 400 Bad Request response is send back

Additional Information: 
The issue is present in the  parseHeader() method of InternalNioInputBuffer
class.
Here the variable headerParsePos is set according to the enum
HeaderParsePosition {HEADER_START, HEADER_NAME, HEADER_VALUE,
HEADER_MULTI_LINE}
Inorder to verify if the header is multiline first the value of  headerParsePos
is set to HEADER_MULTI_LINE
Then following code is executed
if ( headerParsePos == HeaderParsePosition.HEADER_MULTI_LINE ) {
                if ( (chr != Constants.SP) && (chr != Constants.HT)) {
                    headerParsePos = HeaderParsePosition.HEADER_START;
                } else {
                    eol = false;
                    // Copying one extra space in the buffer (since there must
                    // be at least one space inserted between the lines)
                    buf[headerData.realPos] = chr;
                    headerData.realPos++;
                }
}

Here if the first character of the next line is not equal to space or tab then
the value of   variable   headerParsePos is set to HEADER_START
But if the value is equal to space or tab then value of   variable  
headerParsePos remains HEADER_MULTI_LINE.
The futher parsing of the header value is done only in case headerParsePos is
set to HEADER_VALUE
while (headerParsePos == HeaderParsePosition.HEADER_VALUE ||
              headerParsePos == HeaderParsePosition.HEADER_MULTI_LINE) {
          if ( headerParsePos == HeaderParsePosition.HEADER_VALUE ) {
//code to parse header value 
         }
       if ( headerParsePos == HeaderParsePosition.HEADER_MULTI_LINE ) {
//code to handle multiline header
        }
}
Since the value of headerParsePos is not being set back to HEADER_VALUE
therefore code to handle multiline header is being executed .
And the while loop goes in an endless loop.
If the else part of code to handle multiline header if                    
headerParsePos = HeaderParsePosition. HEADER_VALUE; line is added as below
if ( headerParsePos == HeaderParsePosition.HEADER_MULTI_LINE ) {
                if ( (chr != Constants.SP) && (chr != Constants.HT)) {
                    headerParsePos = HeaderParsePosition.HEADER_START;
                } else {
                    eol = false;
                    // Copying one extra space in the buffer (since there must
                    // be at least one space inserted between the lines)
                    buf[headerData.realPos] = chr;
                    headerData.realPos++;
                    headerParsePos = HeaderParsePosition. HEADER_VALUE;
                }
}
Then the header folding is handled successfully

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message