This is an automated email from the ASF dual-hosted git repository. markt-asf pushed a commit to branch 11.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 053e4d6e0c7fb90335a2a3bf6ecc2fa1d78aeca4 Author: Mark Thomas <[email protected]> AuthorDate: Fri Apr 24 15:06:43 2026 +0100 Further improvements to CONNECT checks after CoPilot review --- java/org/apache/coyote/http2/Stream.java | 9 +++++++-- .../apache/coyote/http2/TestHttp2Section_8_5.java | 20 ++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/java/org/apache/coyote/http2/Stream.java b/java/org/apache/coyote/http2/Stream.java index ac7b56ebd8..687b859539 100644 --- a/java/org/apache/coyote/http2/Stream.java +++ b/java/org/apache/coyote/http2/Stream.java @@ -588,11 +588,16 @@ class Stream extends AbstractNonZeroStream implements HeaderEmitter { if (coyoteRequest.getMethod() == null) { missingHeader = true; } else if (Method.CONNECT.equals(coyoteRequest.getMethod())) { + // CONNECT only if (!coyoteRequest.scheme().isNull() || !coyoteRequest.requestURI().isNull()) { - throw new StreamException(sm.getString("stream.header.invalidConnect", getConnectionId(), + throw new StreamException(sm.getString("stream.header.invalidConnect", getConnectionId(), getIdAsString()), Http2Error.PROTOCOL_ERROR, getIdAsInt()); } - } else if (!Method.CONNECT.equals(coyoteRequest.getMethod())) { + if (coyoteRequest.serverName().isNull()) { + missingHeader = true; + } + } else { + // All other methods if (coyoteRequest.scheme().isNull() || coyoteRequest.requestURI().isNull()) { missingHeader = true; } diff --git a/test/org/apache/coyote/http2/TestHttp2Section_8_5.java b/test/org/apache/coyote/http2/TestHttp2Section_8_5.java index f7bd35e474..52cd5de31f 100644 --- a/test/org/apache/coyote/http2/TestHttp2Section_8_5.java +++ b/test/org/apache/coyote/http2/TestHttp2Section_8_5.java @@ -61,4 +61,24 @@ public class TestHttp2Section_8_5 extends Http2TestBase { Assert.assertEquals("3-RST-[1]\n", output.getTrace()); } + + + @Test + public void testConnectWithoutAuthority() throws Exception { + http2Connect(); + + byte[] frameHeader = new byte[9]; + ByteBuffer headersPayload = ByteBuffer.allocate(128); + + List<Header> headers = new ArrayList<>(4); + headers.add(new Header(":method", Method.CONNECT)); + + buildGetRequest(frameHeader, headersPayload, null, headers, 3); + + writeFrame(frameHeader, headersPayload); + + parser.readFrame(); + + Assert.assertEquals("3-RST-[1]\n", output.getTrace()); + } } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
