Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E7BF7200C4D for ; Wed, 5 Apr 2017 08:50:25 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E65AD160B94; Wed, 5 Apr 2017 06:50:25 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 36E1A160B91 for ; Wed, 5 Apr 2017 08:50:25 +0200 (CEST) Received: (qmail 65143 invoked by uid 500); 5 Apr 2017 06:50:24 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 65132 invoked by uid 99); 5 Apr 2017 06:50:23 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Apr 2017 06:50:23 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 916D41A03FE for ; Wed, 5 Apr 2017 06:50:23 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.38 X-Spam-Level: ** X-Spam-Status: No, score=2.38 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id Ki5LNrfTCtVH for ; Wed, 5 Apr 2017 06:50:21 +0000 (UTC) Received: from mail-lf0-f49.google.com (mail-lf0-f49.google.com [209.85.215.49]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 140915F1A0 for ; Wed, 5 Apr 2017 06:50:21 +0000 (UTC) Received: by mail-lf0-f49.google.com with SMTP id x137so2111165lff.3 for ; Tue, 04 Apr 2017 23:50:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=TplUywRxWRc2bMF0tAkYv9PMJJIff4wbg+O2aQwVPCU=; b=E4KXyBbhXoJTCXLiHwvgPTnf3J1UntU4eYXuNayRJoxYBJkumFApsLyKLCtYTXGbfW nyvE50wr+sYMyumI8/uJjbNUybhkpEDdkj6PhoyzmCbi9YxLC++3AAYDpfRH9anvZozg v6KPO8TVTpQyqfBBEYuZWJy+ffr+8pd3j1n4KD1YFJ0+KWBFjzBGu+qGbPm50H8DIJkU egVeUuRkTyW22HKnjK5UM8qfp1gG8ZZ1v3CfVuHNXVsPW1ai879xhQe9DWpq8vMPReKu bW0kb63neDCGqlMLVDnqaJXSgqIBQVkmBrxUHEGVUyDtwKQxiRM7Yz7kwtLbNYcbMR09 t0Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=TplUywRxWRc2bMF0tAkYv9PMJJIff4wbg+O2aQwVPCU=; b=I3cK8JZv+U6qV3PwLRn9YQANG613T5iEHQbJDlBpyBK4HPfU38sX87vY/+qySthgzI UCyJ1QJ2XGt3p5xOjlIwtBmwDnsL4ZJSetHMMj6MVDu0CVx62c2UpL6Qo1UqN1rm1+x3 8Xocr7bxJf+7q4Cj17CgMlyy0MVYwOySU/KWX6GDa1FCztlEPtmGW+7nTMTw/F8QRQc/ dKQcJtbfdOG/jEonduZ1D3apN5nKWJh4vCS0bHRaEbS2o14w1UIK59wu2zNXT7BlFpsH mljBetMGztJpWE4jr2IXLK0rArQgcDDLAPdXr7l+ApO+e07x5km53iK9KgXwPYrvKLOK DcEQ== X-Gm-Message-State: AFeK/H0pkvdOLCQwNjK6q3neC6ej3va4391nkGe1Nsb4Tue9BQC+r0K2Wl1K5yPu2hy29w8szZStYd/hgQ9guw== X-Received: by 10.46.92.70 with SMTP id q67mr7644417ljb.111.1491375019783; Tue, 04 Apr 2017 23:50:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.167.8 with HTTP; Tue, 4 Apr 2017 23:50:19 -0700 (PDT) In-Reply-To: <6e4e88ef-1b80-e1aa-2094-24b1d6c86080@apache.org> References: <30a79e1b-5f36-0f5b-4b42-804e8f5201c5@apache.org> <0fe2bccc-2a27-3d3c-d604-df3a9e1b263f@apache.org> <6e4e88ef-1b80-e1aa-2094-24b1d6c86080@apache.org> From: Katya Todorova Date: Wed, 5 Apr 2017 09:50:19 +0300 Message-ID: Subject: Re: Host header validation To: Tomcat Developers List Content-Type: multipart/alternative; boundary=94eb2c1b511647fbd1054c65ce30 archived-at: Wed, 05 Apr 2017 06:50:26 -0000 --94eb2c1b511647fbd1054c65ce30 Content-Type: text/plain; charset=UTF-8 > > Applied. Many thanks. > > If you'd like to work on this further then can I suggest you take a look > at Konstantin's comments: > > http://markmail.org/message/vp5voob7elspflax I looked at the comments and it seems there are things to be clarified before going in this direction: - should we introduce a flag for turn on/off validation and in which cases - zone id support in IPv6 addresses - IPvFuture support (for this one Konstantin has already proposed to be postponed for a while) If you think this is the right time to work on the first two, let me know and I can prepare a patch. Other possibilities are: > > - performance improvements for the Host header validation > > - improving code coverage generally for any of the HTTP parsing code > > - any that attracts your interest I'm looking at the code coverage and will take a look at host validation performance. Kind regards, Katya --94eb2c1b511647fbd1054c65ce30--