Re: [Bug 69325] Tomcat not allowing CRLF characters in Request headers

Tue, 17 Sep 2024 02:21:08 -0700 

On 17/09/2024 04:44, manjosh ramesh wrote:


  Hi,ok, so this was a bug in older tomcat release and has been fixed in newer 
version, is it?


Yes.


Could you please share the bug id for this change?



No. Not every fix is associated with a bug ID since not every issue is 
raised via the issue tracker. This is such an issue.



You haven't been specific about which version worked and which one 
didn't although you do mention the issue appearing when you upgraded to 
8.5.99.



If I had to guess then I'd guess the change the uncovered the issue in 
your cookie header was the one that meant CRCRLF was rejected as a line 
terminator. That was in 8.5.82.



I'll note that Tomcat 8.5.x reached end of life on 31 March 2024 and is 
no longer supported by the ASF.



Extended support is available from various commercial entities for older 
versions of Tomcat. I would strongly recommend that anyone considering 
one of those options looks carefully at the provider's claims of Tomcat 
expertise. Or just upgrade to an ASF supported version.



Because the older tomcat allows this type of request.



Quite possibly. There has been a general tightening up of HTTP request 
parsing over time. Partly in response to reported security 
vulnerabilities, partly as a preventative measure against the 
possibility of future vulnerabilities.



Also Our cookie is complient. We are not able to find what is not complient in 
our cookie.



No, it isn't. CR (^M) is not a permitted character in an HTTP request 
header so your cookie header is not valid.



It only works when we remove '^M' or '^M$' from the end of line in our cookie.



As expected. Once you make the HTTP request specification complaint, 
Tomcat will accept it.


Mark



Regards,Manjosh Ramesh

     On Monday, September 16, 2024 at 09:37:22 AM GMT+5:30, 
<bugzi...@apache.org> wrote:

  
  https://bz.apache.org/bugzilla/show_bug.cgi?id=69325


Chuck Caldarale <n82...@gmail.com> changed:

           What    |Removed                    |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                |RESOLVED
         Resolution|---                        |INVALID

--- Comment #3 from Chuck Caldarale <n82...@gmail.com> ---
As previously stated, any further discussion must be on the Tomcat users'
mailing list. Do not reopen this bugzilla entry.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to