-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FISH-9690: adding validation to prevent invalid characters on header values #7035
base: main
Are you sure you want to change the base?
FISH-9690: adding validation to prevent invalid characters on header values #7035
Conversation
appserver/web/web-core/src/main/java/org/apache/catalina/connector/CoyoteAdapter.java
Outdated
Show resolved
Hide resolved
Jenkins test please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copyright header needs updating in the pom, other than that LGTM.
appserver/web/web-core/src/main/java/org/apache/catalina/connector/CoyoteAdapter.java
Outdated
Show resolved
Hide resolved
@@ -132,6 +133,8 @@ public class CoyoteAdapter extends HttpHandler { | |||
Boolean.valueOf(System.getProperty( | |||
"com.sun.enterprise.web.collapseAdjacentSlashes", "true")); | |||
|
|||
private static String INVALID_PATTERNS_RFC_9110 = "(\\\\n)|(\\\\0)|(\\\\r)|(\\\\x00)|(\\\\x0A)|(\\\\x0D)"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no limitation to literal \
characters in RFC9110.
The actual bytes that involve non-visual characters should be rejected (Character.isISOControl
), as actuall 0x00
in the byte stream.
* @return boolean false if any of the evaluated characters is available in any of the header values, true if the headers | ||
* don't contain any of the problematic characters | ||
*/ | ||
private boolean validateHeaderValues(final org.glassfish.grizzly.http.server.Request req) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this too late though? Shouldn'r Grizzly already reject an invalid Request? Based on original report it is indeed the case and Grizzly shouldn't even pass the request to Coyote.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah at the beginning I thought to add it to the Grizzly side, after checking with the team we thought that Coyote side would be fine. @Pandrex247 any suggestion?
I have a bad news:
|
Ah, there is a way:
Note the
Sending zero breaks curl, it doesn't send the header at all :-)
As expected, if I put
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current version refuses \
n
, which is OK; this should be allowed.
Please, try the implementation with the $'X-MyHeader: \nhello'
version of the curl test.
Fix for RFC-9110 regarding invalid characters on header values
Description
This is a fix for a bug reported from the service team regarding to prevent any issue when invalid characters are set on header values based on the RFC-9110
Important Info
Blockers
Testing
New tests
Arquillian test added on the Payara Samples: appserver/tests/payara-samples/samples/rfc-9110/src/test/java/fish/payara/samples/headers/PayaraValidationRFCHeadersIT.java
Testing Performed
Manual testing:
Deploy the following application in Payara 6:
ReproducerJDK11.zip
when the application is deployed open a git bash terminal from windows or use postman to execute a get call for the following URL: http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
for curl use the following command including an invalid header including the following list of invalid characters:
example of commands using git bash:
curl -i -v -H "X-MyHeader: \nhello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
curl -i -v -H "X-MyHeader: \rhello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
curl -i -v -H "X-MyHeader: \0hello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
curl -i -v -H "X-MyHeader: \x00hello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
curl -i -v -H "X-MyHeader: \x0Ahello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
curl -i -v -H "X-MyHeader: \x0Dhello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
with invalid characters now the response should be a 400 error with specific error code on the server:
server log:
with valid characters the call should return 200
curl -i -v -H "X-MyHeader: hello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
from postman:
Arquillian test execution passing with success:
Testing Environment
Windows 11, azul JDK 11, maven 3.9.5
Documentation
Notes for Reviewers