From dev-return-193836-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Fri Oct 5 12:38:48 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 6D474180649 for ; Fri, 5 Oct 2018 12:38:47 +0200 (CEST) Received: (qmail 83009 invoked by uid 500); 5 Oct 2018 10:38:46 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 82999 invoked by uid 99); 5 Oct 2018 10:38:46 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Oct 2018 10:38:46 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 5F31B3A0D44 for ; Fri, 5 Oct 2018 10:38:53 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1842885 - in /tomcat/tc7.0.x/trunk: java/org/apache/coyote/AbstractProcessor.java java/org/apache/coyote/ajp/AbstractAjpProcessor.java java/org/apache/coyote/http11/AbstractHttp11Processor.java webapps/docs/changelog.xml Date: Fri, 05 Oct 2018 10:38:52 -0000 To: dev@tomcat.apache.org From: markt@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20181005103853.5F31B3A0D44@svn01-us-west.apache.org> Author: markt Date: Fri Oct 5 10:38:52 2018 New Revision: 1842885 URL: http://svn.apache.org/viewvc?rev=1842885&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62739 Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid. Patch provided by Michael Orr. This closes #124. Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java?rev=1842885&r1=1842884&r2=1842885&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/AbstractProcessor.java Fri Oct 5 10:38:52 2018 @@ -203,6 +203,12 @@ public abstract class AbstractProcessor< protected void parseHost(MessageBytes valueMB) { if (valueMB == null || valueMB.isNull()) { populateHost(); + populatePort(); + return; + } else if (valueMB.getLength() == 0) { + // Empty Host header so set sever name to empty string + request.serverName().setString(""); + populatePort(); return; } @@ -266,9 +272,9 @@ public abstract class AbstractProcessor< /** - * Called when a host name is not present in the request (e.g. HTTP/1.0). - * It populates the server name and port with appropriate information. The - * source is expected to vary by protocol. + * Called when a host header is not present in the request (e.g. HTTP/1.0). + * It populates the server name with appropriate information. The source is + * expected to vary by protocol. *

* The default implementation is a NO-OP. */ @@ -276,6 +282,18 @@ public abstract class AbstractProcessor< // NO-OP } + + /** + * Called when a host header is not present or is empty in the request (e.g. + * HTTP/1.0). It populates the server port with appropriate information. The + * source is expected to vary by protocol. + *

+ * The default implementation is a NO-OP. + */ + protected void populatePort() { + // NO-OP + } + @Override public abstract boolean isUpgrade(); Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java?rev=1842885&r1=1842884&r2=1842885&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/ajp/AbstractAjpProcessor.java Fri Oct 5 10:38:52 2018 @@ -985,13 +985,11 @@ public abstract class AbstractAjpProcess /** * {@inheritDoc} *

- * This implementation populates the server name and port from the local - * name and port provided by the AJP message. + * This implementation populates the server name from the local name + * provided by the AJP message. */ @Override protected void populateHost() { - // No host information (HTTP/1.0) - request.setServerPort(request.getLocalPort()); try { request.serverName().duplicate(request.localName()); } catch (IOException e) { @@ -1001,6 +999,19 @@ public abstract class AbstractAjpProcess } + /** + * {@inheritDoc} + *

+ * This implementation populates the server port from the local port + * provided by the AJP message. + */ + @Override + protected void populatePort() { + // No host information (HTTP/1.0) + request.setServerPort(request.getLocalPort()); + } + + /** * When committing the response, we have to validate the set of headers, as * well as setup the response filters. Modified: tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java?rev=1842885&r1=1842884&r2=1842885&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Processor.java Fri Oct 5 10:38:52 2018 @@ -1739,21 +1739,24 @@ public abstract class AbstractHttp11Proc protected abstract boolean prepareSendfile(OutputFilter[] outputFilters); + + /* + * Note: populateHost() is not over-ridden. + * request.serverName() will be set to return the default host name by + * the Mapper. + */ + + /** * {@inheritDoc} *

- * This implementation provides the server name from the default host and - * the server port from the local port. + * This implementation provides the server port from the local port. */ @Override - protected void populateHost() { - // No host information (HTTP/1.0) + protected void populatePort() { // Ensure the local port field is populated before using it. request.action(ActionCode.REQ_LOCALPORT_ATTRIBUTE, request); request.setServerPort(request.getLocalPort()); - - // request.serverName() will be set to the default host name by the - // mapper } Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1842885&r1=1842884&r2=1842885&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Oct 5 10:38:52 2018 @@ -71,6 +71,15 @@ + + + + 62739: Do not reject requests with an empty HTTP Host header. + Such requests are unusual but not invalid. Patch provided by Michael + Orr. (markt) + + + --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org