|Summary:||Http11Processor does not compare request header values for complete tokens|
|Product:||Tomcat 8||Reporter:||Michael Osipov <michaelo>|
|Component:||Connectors||Assignee:||Tomcat Developers Mailing List <dev>|
Description Michael Osipov 2019-10-09 21:21:21 UTC
Based on the discussion here: http://mail-archives.apache.org/mod_mbox/tomcat-dev/201910.mbox/%3C451a4348-3ba7-5af1-b24a-ba6ed52e424f%40apache.org%3E Request header values are tested with contains() or indexOf(), findBytes(), etc. But if the searched value is "gzip" (needle) only, and the search value is "figzip" (haystack) the comparison shall fail, but succeeds due the to substring match. This needs to be tightened to match exactly (case-insenstive if header spec allows).
Comment 1 Mark Thomas 2019-10-17 17:54:14 UTC
Fixed in: - master for 9.0.28 onwards - 8.5.x for 8.5.48 onwards - 7.0.x for 7.0.98 onwards
Comment 2 Michael Osipov 2019-10-18 08:48:09 UTC
I am afraid I need to reopen this one because of this missed spot: https://github.com/apache/tomcat/blob/master/java/org/apache/coyote/http11/Http11Processor.java#L599-L608
Comment 3 Mark Thomas 2019-10-18 21:55:02 UTC
Thanks for catching that. I've refactored the code a little and expanded it to cover the request header case. Performance testing indicates neutral to marginally positive effect.
Comment 4 Michael Osipov 2019-10-18 21:57:47 UTC
(In reply to Mark Thomas from comment #3) > Thanks for catching that. I've refactored the code a little and expanded it > to cover the request header case. > > Performance testing indicates neutral to marginally positive effect. Brilliant, only compression config left.