On 29/11/2016 14:40, Christopher Schultz wrote: > Michael, > > On 11/29/16 8:14 AM, Michael Osipov wrote: >> Hi folks, > >> while investigating another possible patch for the RewriteValve, I >> have noticed that Tomcat 8.5 does not validate the set status >> code, everything ist possible, e.g., -99 or 1000. Scanning the code >> I haven't found any validation or such upto >> org.apache.coyote.http11.Http11OutputBuffer.sendStatus(). > >> RFC 7230, section 3.1.2 defines the EBNF the status-code is defined >> as 3DIGIT. > >> My question: is that an implementation error? > >> Not having checked Apache 2.4 yet, I know that mod_rewrite.c will >> return an error if the status code is not between 100 and 900 [1]. > > I would say that in general validating the response code is probably > not worth it. If an application wants to use customized response > codes, they have plenty of codes already available but maybe they want > to use a higher-numbered code. > > Are you suggesting that the behavior should be changed so that Tomcat > can enforce the HTTP specification even when an application uses it in > an out-of-spec way? Or were you thinking that there may be some deeper > issue that Tomcat can help solve? > > Validating the response code would only take a little bit of time, and > usually response codes aren't set many times per request, so the > overhead would probably be minimal.
If it is validated at all for the RewriteValve, I'd do it once during init rather than per request. Tomcat doesn't currently validate the status code at all if an application calls setStatus(). One problem with adding validation is that the spec doesn't define any exceptions for setStatus() and friends. You'd need to use an unchecked exception, ignore the call or use some default code. None of which is particularly nice. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
