On 07/04/2020 08:54, Rajah Yoghindra K S wrote: <snip/>
> Our POST request header looks like this: > > POST https://linux-7f67.blr.abc.com:443/testUrl/ HTTP/1.1 > Host: *linux-7f67.blr.abc.com* > User-Agent: gSOAP/2.8 > Content-Type: text/xml; charset=utf-8 > Content-Length: 1740 > Connection: close <snip/> > What is your take on this ? Should the code in tomcat be checking just > the fqdn without the port ? >From RFC 7230, section 5.4 Host <quote> A client MUST send a Host header field in all HTTP/1.1 request messages. If the target URI includes an authority component, then a client MUST send a field-value for Host that is identical to that authority component, excluding any userinfo subcomponent and its "@" delimiter (Section 2.7.1). </quote> So, the check Tomcat is performing is correct. The client is broken and needs to be fixed. > Also would it be possible to include a fix so that it skips the default > port (if present) and then compare? Non default ports to be still > retained. Only default ports to be skipped. Possible, yes. Likely to be accepted, no. The starting position that the Tomcat committers typically take is that we don't apply workarounds for broken clients that aren't specification compliant. Exceptions are made but generally only when a large number of users are likely to be affected AND the broken client in question is unlikely / has already refused to apply a fix. That doesn't look to be the case in this instance. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
