Am 2016-11-29 um 15:40 schrieb Christopher Schultz:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Michael,
On 11/29/16 8:14 AM, Michael Osipov wrote:
Hi folks,
while investigating another possible patch for the RewriteValve, I
have noticed that Tomcat 8.5 does not validate the set status
code, everything ist possible, e.g., -99 or 1000. Scanning the code
I haven't found any validation or such upto
org.apache.coyote.http11.Http11OutputBuffer.sendStatus().
RFC 7230, section 3.1.2 defines the EBNF the status-code is defined
as 3DIGIT.
My question: is that an implementation error?
Not having checked Apache 2.4 yet, I know that mod_rewrite.c will
return an error if the status code is not between 100 and 900 [1].
I would say that in general validating the response code is probably
not worth it. If an application wants to use customized response
codes, they have plenty of codes already available but maybe they want
to use a higher-numbered code.
Are you suggesting that the behavior should be changed so that Tomcat
can enforce the HTTP specification even when an application uses it in
an out-of-spec way? Or were you thinking that there may be some deeper
issue that Tomcat can help solve?
I do not have any problem at all, nor do I need to enforce any checks. I
wanted to clarify the current status.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
