[Bug 63825] New: Http11Processor does not compare request header values for complete tokens

bugzilla Wed, 09 Oct 2019 14:21:58 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=63825


            Bug ID: 63825
           Summary: Http11Processor does not compare request header values
                    for complete tokens
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Connectors
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

Based on the discussion here:
http://mail-archives.apache.org/mod_mbox/tomcat-dev/201910.mbox/%3C451a4348-3ba7-5af1-b24a-ba6ed52e424f%40apache.org%3E

Request header values are tested with contains() or indexOf(), findBytes(),
etc. But if the searched value is "gzip" (needle) only, and the search value is
"figzip" (haystack) the comparison shall fail, but succeeds due the to
substring match.

This needs to be tightened to match exactly (case-insenstive if header spec
allows).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 63825] New: Http11Processor does not compare request header values for complete tokens

Reply via email to