Bug 63578 - o.a.coyote.http11.Http11Processor.prepareRequest: various inputs triggering 500 response code
Summary: o.a.coyote.http11.Http11Processor.prepareRequest: various inputs triggering 5...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 9.0.22
Hardware: Macintosh All
: P2 minor (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-22 14:35 UTC by Alex Rebert
Modified: 2019-07-24 15:05 UTC (History)
0 users



Attachments
Inputs triggering 500 responses. (9.31 KB, application/zip)
2019-07-22 14:35 UTC, Alex Rebert
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Rebert 2019-07-22 14:35:19 UTC
Created attachment 36672 [details]
Inputs triggering 500 responses.

Http11Processor.prepareRequest generates 500 responses instead of 400 on various inputs:
- Invalid Expect and Transfer-encoding headers can lead to a NullPtrException
- Invalid Content-length headers can lead to an InvalidArgumentException and a NumberFormatException
- Large numbers of headers and/or cookies can lead to an IllegalStateException or an InvalidArgumentException  

I'm attaching the inputs that resulted in 500 responses. You can replay them with `cat <exception>.request | nc localhost 8080`, assuming tomcat listens on 8080. The responses are attached in the respective `<exception>.response` file. The responses include the stacktraces that led to the 500.

I'm running tomcat from source after compiling it with ant. Version is 'Apache Tomcat/9.0.22-dev', and commit is ed26bdbaf639a17c02a1e864d2c0553ed3f95971 from Jul 22.
Comment 1 Mark Thomas 2019-07-24 14:53:05 UTC
Thanks for this report.

I tracked down the root causes and added minimal test cases as well as getting the issues fixed.

Fixed in:
- master for 9.0.23 onwards
- 8.5.x for 8.5.44 onwards
- 7.0.x for 7.0.97 onwards
Comment 2 Alex Rebert 2019-07-24 15:05:09 UTC
Thanks Mark for fixing the issues so promptly.

If you think some part of the tomcat code base would benefit from additional automated analysis, please let me know which ones and I'll take a look.