On 29/11/2016 18:18, Michael Osipov wrote: > Am 2016-11-29 um 16:07 schrieb Mark Thomas: >> On 29/11/2016 14:40, Christopher Schultz wrote: >>> Michael, >>> >>> On 11/29/16 8:14 AM, Michael Osipov wrote: >>>> Hi folks, >>> >>>> while investigating another possible patch for the RewriteValve, I >>>> have noticed that Tomcat 8.5 does not validate the set status >>>> code, everything ist possible, e.g., -99 or 1000. Scanning the code >>>> I haven't found any validation or such upto >>>> org.apache.coyote.http11.Http11OutputBuffer.sendStatus(). >>> >>>> RFC 7230, section 3.1.2 defines the EBNF the status-code is defined >>>> as 3DIGIT. >>> >>>> My question: is that an implementation error? >>> >>>> Not having checked Apache 2.4 yet, I know that mod_rewrite.c will >>>> return an error if the status code is not between 100 and 900 [1]. >>> >>> I would say that in general validating the response code is probably >>> not worth it. If an application wants to use customized response >>> codes, they have plenty of codes already available but maybe they want >>> to use a higher-numbered code. >>> >>> Are you suggesting that the behavior should be changed so that Tomcat >>> can enforce the HTTP specification even when an application uses it in >>> an out-of-spec way? Or were you thinking that there may be some deeper >>> issue that Tomcat can help solve? >>> >>> Validating the response code would only take a little bit of time, and >>> usually response codes aren't set many times per request, so the >>> overhead would probably be minimal. >> >> If it is validated at all for the RewriteValve, I'd do it once during >> init rather than per request. > > This is what I was about to do. My primary goal was to complete the > redirect rule where mod_rewrite.c rejects codes below 100 and 900 and > stops processing immediately if the code is not one of 3xx. > > Is that desired or do you want to leave it that way?
It isn't an itch I want to scratch but if it can be implemented with a reasonable patch I'm happy to review that patch. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
