tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Strict Host Header validation since Tomcat 7.0.87
Date Wed, 30 May 2018 09:11:46 GMT
On 30/05/18 10:00, Sven Buesing wrote:
> Hello everyone,
> Hello Mark,
> @markt: as this change is from you, I've added you in cc. Please let me know if you're
fine with this.

No, I am not. Please do not send direct mail to Tomcat committers. If
you have a Tomcat related question, it belongs on the mailing list.

> Since Tomcat 7.0.87 Coyote has added a validation check for Host-Headers.
> The validation seems to expect that a host header is always a FQDN.
> But in common DNS setups, search domains are used, which are automatically appended to
a DNS request.
> The search domain on the other hand is not appended to the host header of the request.
For example, a host header might therefore look like this: "Host:".

> The"-" causes the request to be recognized as incorrect and discarded.
> As a result, since the update to Tomcat >8.0.86, certain requests are answered with
400 bad requests.
> This could be a problem in certain setups. Maybe you could change the validation behaviour
to also accept common domain names without requireing FQDNs.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message