Hi,
We use Tomcat 7.0.109 and Tomcat 8.5 in our Tomcat based webapp deployments and
we have a new requirement to prevent Host Header injection. The
allowHostHeaderMismatch option seems the perfect answer to this issue.
However, configuring it in our environment, i.e. in the server.xml connector
tag still does not seem to make it work.
Debugging the code, we see that the check for this setting is never even
reached in the
org.apache.coyote.http11.AbstractHttp11Processor.prepareRequest() method. The
reason is in the code snippet below:
ByteChunk uriBC = request.requestURI().getByteChunk();
byte[] uriB = uriBC.getBytes();
if (uriBC.startsWithIgnoreCase("http", 0)) {
...
if (allowHostHeaderMismatch) {
...
}
}
uriBC does not contain the full URL such as http://localhost:8080/myapp, but
rather only the /myapp path, so that if (uriBC.startsWithIgnoreCase("http", 0))
condition is never met.
We are probably missing something very basic, and would really appreciate some
guidance.
Thanks,
Ralph Atallah
