Bug 61120 - Tomcat 8.5.15 with HTTP/2: URL path parameters lost
Summary: Tomcat 8.5.15 with HTTP/2: URL path parameters lost
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.15
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-24 13:59 UTC by Markus Dörschmidt
Modified: 2017-08-10 22:06 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Dörschmidt 2017-05-24 13:59:03 UTC
When using Tomcat 8.5.15 with HTTP/2 all URL path parameters gets lost.

In some cases, session tracking is done via URL (yes, I know, doing that is bad ;)). Using the HTTP/2 protocol, the URL contains the "jsessionid" parameter, but Tomcat creates a new session. It seems, the session ID never reaches the session manager.

I configured a connector using NIO2 in combination with Http2Protocol:


<Connector
  port="8444"
  protocol="org.apache.coyote.http11.Http11Nio2Protocol"
  sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
  SSLEnabled="true"
  scheme="https"
  secure="true"
  sslProtocol="TLS"
  [...]>
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>


Using the same connector without <UpgradeProtocol> everything is okay.
Comment 1 Mark Thomas 2017-05-24 20:16:02 UTC
Thanks for the report.

This has been fixed in:
- 9.0.x for 9.0.0.M22
- 8.5.x for 8.5.16
Comment 2 Mark Thomas 2017-08-10 22:06:02 UTC
This is CVE-2017-7675.