tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Strict Host Header validation since Tomcat 7.0.87
Date Wed, 30 May 2018 09:11:46 GMT
On 30/05/18 10:00, Sven Buesing wrote:
> Hello everyone,
> Hello Mark,
> 
> @markt: as this change is from you, I've added you in cc. Please let me know if you're
fine with this.

No, I am not. Please do not send direct mail to Tomcat committers. If
you have a Tomcat related question, it belongs on the mailing list.

> Since Tomcat 7.0.87 Coyote has added a validation check for Host-Headers.
> The validation seems to expect that a host header is always a FQDN.
> But in common DNS setups, search domains are used, which are automatically appended to
a DNS request.
> 
> The search domain on the other hand is not appended to the host header of the request.
For example, a host header might therefore look like this: "Host: subdomain.host-header".

> The"-" causes the request to be recognized as incorrect and discarded.
> As a result, since the update to Tomcat >8.0.86, certain requests are answered with
400 bad requests.
> 
> This could be a problem in certain setups. Maybe you could change the validation behaviour
to also accept common domain names without requireing FQDNs.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62371

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message