Hello everyone,
Tomcat Version: 9.0.26
OS: Windows and Linux
We recently upgraded from Tomcat 8.5.35 to 9.0.26 and in 9.0.26 there is change
in default value of "allowHostHeaderMismatch" flag which is causing few issues
for us.
8.5.35 - Default value of allowHostHeaderMismatch is true. So
it ALLOWS requests where the host headers don't match .
9.0.26 - Default value of allowHostHeaderMismatch is false. So
it BLOCKS requests where the host headers don't match .
Our POST request header looks like this:
POST https://linux-7f67.blr.abc.com:443/testUrl/ HTTP/1.1
Host: linux-7f67.blr.abc.com
User-Agent: gSOAP/2.8
Content-Type: text/xml; charset=utf-8
Content-Length: 1740
Connection: close
The content on the "Host" field i.e. "Host: linux-7f67.blr.abc.com" is
generated by gSOAP library and it ignores adding the port as it to talking to a
default port.
The uri on the "POST" line i.e. "https://linux-7f67.blr.abc.com:443/testUrl/ "
is generated by another tool and it seems to be explicit about the port even
though it is using the default port.
There is some confusion in general on the internet about including Port in URL
for default ports. Some say it is ok to include and some say it is redundant
when using default port.
The check in tomcat at
https://github.com/apache/tomcat/blob/ca66cfd3d6fae198fbcf76be09b3e8f3f8232c0a/java/org/apache/coyote/http11/Http11Processor.java#L686
compares "linux-7f67.blr.abc.com" in Host to "linux-7f67.blr.abc.com:443" in
the POST url and tomcat returns a 400 Badrequest because of the extra :443 in
the URL.
[cid:[email protected]]
What is your take on this ? Should the code in tomcat be checking just the
fqdn without the port ?
Also would it be possible to include a fix so that it skips the default port
(if present) and then compare? Non default ports to be still retained. Only
default ports to be skipped.
Regards
Rajah Yoghindra