This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 17e65a21fb Fix HTTP/2 CONNECT / pseudo header checks
17e65a21fb is described below
commit 17e65a21fbbfe59db7755ab155b904e84d330eb3
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Apr 24 08:33:21 2026 +0100
Fix HTTP/2 CONNECT / pseudo header checks
---
.../apache/coyote/http2/LocalStrings.properties | 1 +
java/org/apache/coyote/http2/Stream.java | 25 +++++++--
java/org/apache/coyote/http2/StreamProcessor.java | 4 +-
.../apache/coyote/http2/TestHttp2Section_8_1.java | 2 +-
.../apache/coyote/http2/TestHttp2Section_8_5.java | 64 ++++++++++++++++++++++
.../apache/coyote/http2/TestStreamProcessor.java | 1 -
webapps/docs/changelog.xml | 4 ++
7 files changed, 92 insertions(+), 9 deletions(-)
diff --git a/java/org/apache/coyote/http2/LocalStrings.properties
b/java/org/apache/coyote/http2/LocalStrings.properties
index d6239e912c..4934f9957e 100644
--- a/java/org/apache/coyote/http2/LocalStrings.properties
+++ b/java/org/apache/coyote/http2/LocalStrings.properties
@@ -97,6 +97,7 @@ stream.header.contentLength=Connection [{0}], Stream [{1}],
The content length h
stream.header.debug=Connection [{0}], Stream [{1}], HTTP header [{2}], Value
[{3}]
stream.header.duplicate=Connection [{0}], Stream [{1}], received multiple
[{2}] headers
stream.header.empty=Connection [{0}], Stream [{1}], Invalid empty header name
+stream.header.invalidConnect=Connection [{0}], Stream [{1}], The CONNECT
request was invalid as neither :scheme nor :path should be present
stream.header.inconsistentScheme=Connection [{0}], Stream [{1}], The scheme
[{2}] is not consistent with the TLS enabled setting of [{3}]
stream.header.invalid=Connection [{0}], Stream [{1}], The header [{2}]
contained invalid value [{3}]
stream.header.noPath=Connection [{0}], Stream [{1}], The [:path] pseudo header
was empty
diff --git a/java/org/apache/coyote/http2/Stream.java
b/java/org/apache/coyote/http2/Stream.java
index 9f02b0896b..e79db4c27f 100644
--- a/java/org/apache/coyote/http2/Stream.java
+++ b/java/org/apache/coyote/http2/Stream.java
@@ -590,12 +590,27 @@ class Stream extends AbstractNonZeroStream implements
HeaderEmitter {
}
- final boolean receivedEndOfHeaders() throws ConnectionException {
- if (coyoteRequest.getMethod() == null ||
coyoteRequest.scheme().isNull() ||
- !Method.CONNECT.equals(coyoteRequest.getMethod()) &&
coyoteRequest.requestURI().isNull()) {
- throw new
ConnectionException(sm.getString("stream.header.required", getConnectionId(),
getIdAsString()),
- Http2Error.PROTOCOL_ERROR);
+ final boolean receivedEndOfHeaders() throws StreamException {
+ boolean missingHeader = false;
+
+ if (coyoteRequest.getMethod() == null) {
+ missingHeader = true;
+ } else if (Method.CONNECT.equals(coyoteRequest.getMethod())) {
+ if (!coyoteRequest.scheme().isNull() ||
!coyoteRequest.requestURI().isNull()) {
+ throw new
StreamException(sm.getString("stream.header.invalidConnect", getConnectionId(),
+ getIdAsString()), Http2Error.PROTOCOL_ERROR,
getIdAsInt());
+ }
+ } else if (!Method.CONNECT.equals(coyoteRequest.getMethod())) {
+ if (coyoteRequest.scheme().isNull() ||
coyoteRequest.requestURI().isNull()) {
+ missingHeader = true;
+ }
}
+
+ if (missingHeader) {
+ throw new StreamException(sm.getString("stream.header.required",
getConnectionId(), getIdAsString()),
+ Http2Error.PROTOCOL_ERROR, getIdAsInt());
+ }
+
// Cookie headers need to be concatenated into a single header
// See RFC 7540 8.1.2.5
// Can only do this once the headers are fully received
diff --git a/java/org/apache/coyote/http2/StreamProcessor.java
b/java/org/apache/coyote/http2/StreamProcessor.java
index 5ae69879ff..18f435b6df 100644
--- a/java/org/apache/coyote/http2/StreamProcessor.java
+++ b/java/org/apache/coyote/http2/StreamProcessor.java
@@ -533,9 +533,9 @@ class StreamProcessor extends AbstractProcessor implements
NonPipeliningProcesso
return false;
}
- // Scheme must adhere to RFC 3986
+ // Scheme must adhere to RFC 3986 - null scheme possible with CONNECT
String scheme = request.scheme().toString();
- if (!HttpParser.isScheme(scheme)) {
+ if (scheme != null && !HttpParser.isScheme(scheme)) {
return false;
}
diff --git a/test/org/apache/coyote/http2/TestHttp2Section_8_1.java
b/test/org/apache/coyote/http2/TestHttp2Section_8_1.java
index aed4d0c51a..ad628e5220 100644
--- a/test/org/apache/coyote/http2/TestHttp2Section_8_1.java
+++ b/test/org/apache/coyote/http2/TestHttp2Section_8_1.java
@@ -552,6 +552,6 @@ public class TestHttp2Section_8_1 extends Http2TestBase {
headers.add(new Header(":path", "/simple"));
headers.add(new Header("host", "localhost:" + getPort()));
- doInvalidPseudoHeaderTest(headers, "0-Goaway-[3]-[1]-");
+ doInvalidPseudoHeaderTest(headers, "3-RST-[1]\n");
}
}
diff --git a/test/org/apache/coyote/http2/TestHttp2Section_8_5.java
b/test/org/apache/coyote/http2/TestHttp2Section_8_5.java
new file mode 100644
index 0000000000..f7bd35e474
--- /dev/null
+++ b/test/org/apache/coyote/http2/TestHttp2Section_8_5.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.coyote.http2;
+
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.tomcat.util.http.Method;
+
+/**
+ * Unit tests for Section 8.5 of <a
href="https://tools.ietf.org/html/rfc9113#section-8.5";>RFC 9113</a>.
+ */
+public class TestHttp2Section_8_5 extends Http2TestBase {
+
+ @Test
+ public void testConnectWithScheme() throws Exception {
+ testConnectWithHeader(":scheme", "http");
+ }
+
+
+ @Test
+ public void testConnectWithPath() throws Exception {
+ testConnectWithHeader(":path", "/should/not/be/present");
+ }
+
+
+ private void testConnectWithHeader(String headerName, String headerValue)
throws Exception {
+ http2Connect();
+
+ byte[] frameHeader = new byte[9];
+ ByteBuffer headersPayload = ByteBuffer.allocate(128);
+
+ List<Header> headers = new ArrayList<>(4);
+ headers.add(new Header(":method", Method.CONNECT));
+ headers.add(new Header(":authority", "localhost:" + getPort()));
+ headers.add(new Header(headerName, headerValue));
+
+ buildGetRequest(frameHeader, headersPayload, null, headers, 3);
+
+ writeFrame(frameHeader, headersPayload);
+
+ parser.readFrame();
+
+ Assert.assertEquals("3-RST-[1]\n", output.getTrace());
+ }
+}
diff --git a/test/org/apache/coyote/http2/TestStreamProcessor.java
b/test/org/apache/coyote/http2/TestStreamProcessor.java
index 7e08f5903f..92277bb2fe 100644
--- a/test/org/apache/coyote/http2/TestStreamProcessor.java
+++ b/test/org/apache/coyote/http2/TestStreamProcessor.java
@@ -578,7 +578,6 @@ public class TestStreamProcessor extends Http2TestBase {
List<Header> headers = new ArrayList<>(4);
headers.add(new Header(":method", Method.CONNECT));
- headers.add(new Header(":scheme", "http"));
headers.add(new Header(":authority", "example.local"));
byte[] headersFrameHeader = new byte[9];
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index cc6aa6ea6a..92d45fb44f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -200,6 +200,10 @@
Add validation that the HTTP/2 <code>:scheme</code> pseudo-header is
consistent with the use (or not) of TLS. (markt)
</fix>
+ <fix>
+ Correct the validation of pseudo headers and CONNECT requests to align
+ Tomcat's behaviour with RFC 9113, section 8.5. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
