Bug 61120

Summary: Tomcat 8.5.15 with HTTP/2: URL path parameters lost
Product: Tomcat 8 Reporter: Markus Dörschmidt <markus.doerschmidt>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal CC: markus.doerschmidt
Priority: P2    
Version: 8.5.15   
Target Milestone: ----   
Hardware: PC   
OS: Linux   

Description Markus Dörschmidt 2017-05-24 13:59:03 UTC
When using Tomcat 8.5.15 with HTTP/2 all URL path parameters gets lost.

In some cases, session tracking is done via URL (yes, I know, doing that is bad ;)). Using the HTTP/2 protocol, the URL contains the "jsessionid" parameter, but Tomcat creates a new session. It seems, the session ID never reaches the session manager.

I configured a connector using NIO2 in combination with Http2Protocol:


<Connector
  port="8444"
  protocol="org.apache.coyote.http11.Http11Nio2Protocol"
  sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
  SSLEnabled="true"
  scheme="https"
  secure="true"
  sslProtocol="TLS"
  [...]>
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>


Using the same connector without <UpgradeProtocol> everything is okay.
Comment 1 Mark Thomas 2017-05-24 20:16:02 UTC
Thanks for the report.

This has been fixed in:
- 9.0.x for 9.0.0.M22
- 8.5.x for 8.5.16
Comment 2 Mark Thomas 2017-08-10 22:06:02 UTC
This is CVE-2017-7675.