Bug 63825

Summary: Http11Processor does not compare request header values for complete tokens
Product: Tomcat 8 Reporter: Michael Osipov <michaelo>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major CC: michaelo
Priority: P2    
Version: 8.5.x-trunk   
Target Milestone: ----   
Hardware: All   
OS: All   

Description Michael Osipov 2019-10-09 21:21:21 UTC 
Based on the discussion here: http://mail-archives.apache.org/mod_mbox/tomcat-dev/201910.mbox/%3C451a4348-3ba7-5af1-b24a-ba6ed52e424f%40apache.org%3E

Request header values are tested with contains() or indexOf(), findBytes(), etc. But if the searched value is "gzip" (needle) only, and the search value is "figzip" (haystack) the comparison shall fail, but succeeds due the to substring match.

This needs to be tightened to match exactly (case-insenstive if header spec allows).
Comment 1 Mark Thomas 2019-10-17 17:54:14 UTC 
Fixed in:
- master for 9.0.28 onwards
- 8.5.x for 8.5.48 onwards
- 7.0.x for 7.0.98 onwards
Comment 2 Michael Osipov 2019-10-18 08:48:09 UTC 
I am afraid I need to reopen this one because of this missed spot:

https://github.com/apache/tomcat/blob/master/java/org/apache/coyote/http11/Http11Processor.java#L599-L608
Comment 3 Mark Thomas 2019-10-18 21:55:02 UTC 
Thanks for catching that. I've refactored the code a little and expanded it to cover the request header case.

Performance testing indicates neutral to marginally positive effect.
Comment 4 Michael Osipov 2019-10-18 21:57:47 UTC 
(In reply to Mark Thomas from comment #3)
> Thanks for catching that. I've refactored the code a little and expanded it
> to cover the request header case.
> 
> Performance testing indicates neutral to marginally positive effect.

Brilliant, only compression config left.