Make host header / request line consistency check configurable since …

…it is a new requirement in RFC 7230 git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1809317 13f79535-47bb-0310-9956-ffa450edef68
kilokahn · Sep 22, 2017 · b121907 · b121907
1 parent 81c285d
commit b121907
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 5 deletions.
diff --git a/java/org/apache/coyote/http11/AbstractHttp11Protocol.java b/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
@@ -91,6 +91,29 @@ protected AbstractEndpoint<S,?> getEndpoint() {
     // ------------------------------------------------ HTTP specific properties
     // ------------------------------------------ managed in the ProtocolHandler
 
+    private boolean allowHostHeaderMismatch = false;
+    /**
+     * Will Tomcat accept an HTTP 1.1 request where the host header does not
+     * agree with the host specified (if any) in the request line?
+     *
+     * @return {@code true} if Tomcat will allow such requests, otherwise
+     *         {@code false}
+     */
+    public boolean getAllowHostHeaderMismatch() {
+        return allowHostHeaderMismatch;
+    }
+    /**
+     * Will Tomcat accept an HTTP 1.1 request where the host header does not
+     * agree with the host specified (if any) in the request line?
+     *
+     * @param allowHostHeaderMismatch {@code true} to allow such requests,
+     *                                {@code false} to reject them with a 400
+     */
+    public void setAllowHostHeaderMismatch(boolean allowHostHeaderMismatch) {
+        this.allowHostHeaderMismatch = allowHostHeaderMismatch;
+    }
+
+
     private boolean rejectIllegalHeaderName = true;
     /**
      * If an HTTP request is received that contains an illegal header name (i.e.

diff --git a/java/org/apache/coyote/http11/Http11Processor.java b/java/org/apache/coyote/http11/Http11Processor.java
@@ -782,10 +782,22 @@ private void prepareRequest() {
                         // the Host header
                         if (!hostValueMB.getByteChunk().equals(
                                 uriB, uriBCStart + pos, slashPos - pos)) {
-                            response.setStatus(400);
-                            setErrorState(ErrorState.CLOSE_CLEAN, null);
-                            if (log.isDebugEnabled()) {
-                                log.debug(sm.getString("http11processor.request.inconsistentHosts"));
+                            if (protocol.getAllowHostHeaderMismatch()) {
+                                // The requirements of RFC 2616 are being
+                                // applied. If the host header and the request
+                                // line do not agree, the request line takes
+                                // precedence
+                                hostValueMB = headers.setValue("host");
+                                hostValueMB.setBytes(uriB, uriBCStart + pos, slashPos - pos);
+                            } else {
+                                // The requirements of RFC 7230 are being
+                                // applied. If the host header and the request
+                                // line do not agree, trigger a 400 response.
+                                response.setStatus(400);
+                                setErrorState(ErrorState.CLOSE_CLEAN, null);
+                                if (log.isDebugEnabled()) {
+                                    log.debug(sm.getString("http11processor.request.inconsistentHosts"));
+                                }
                             }
                         }
                     }

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -79,7 +79,10 @@
       <fix>
         Implement the requirements of RFC 7230 that any HTTP/1.1 request that
         specifies a host in the request line, must specify the same host in the
-        <code>Host</code> header. (markt)
+        <code>Host</code> header and that any such request that does not, must
+        be rejected with a 400 response. This check is optional but enabled by
+        default. It may be disabled with the
+        <code>allowHostHeaderMismatch</code> attribute of the Connector. (markt)
       </fix>
       <fix>
         Implement the requirements of RFC 7230 that any HTTP/1.1 request that

diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
@@ -323,6 +323,13 @@
       configured with <code>::</code>.</p>
     </attribute>
 
+    <attribute name="allowHostHeaderMismatch" required="false">
+      <p>By default Tomcat will reject requests that specify a host in the
+      request line but specify a different host in the host header. This
+      chekc can be disabled by setting this attribute to <code>false</code>. If
+      not specified, the default is <code>true</code>.</p>
+    </attribute>
+
     <attribute name="allowedTrailerHeaders" required="false">
       <p>By default Tomcat will ignore all trailer headers when processing
       chunked input. For a header to be processed, it must be added to this