Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance HTTP Compliance CRLF modes #12564

Open
wants to merge 3 commits into
base: jetty-12.1.x
Choose a base branch
from
Open

Enhance HTTP Compliance CRLF modes #12564

wants to merge 3 commits into from
+1,588 −936

Conversation

gregw
Copy link
Contributor

@gregw gregw commented Nov 22, 2024

Added modes to allow strict requirement for CRLF termination of headers and/or chunks

@gregw
Enhance HTTP Compliance CRLF modes
d1d37b8 
Added modes to allow strict requirement for CRLF termination of headers and/or chunks
@gregw gregw requested review from lorban and joakime and removed request for lorban November 22, 2024 23:20
@gregw
Enhance HTTP Compliance CRLF modes
506042a 
Added modes to allow strict requirement for CRLF termination of headers and/or chunks
sbordet
sbordet requested changes Nov 25, 2024
View reviewed changes
Copy link
Contributor

@sbordet sbordet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. What happens now if we have a request with mixed EOL, e.g. some are just \n, and some \r\n, still good and we have tests?
  2. Please update the documentation about the compliance, defaulting to 9110 where now is 7230 in programming-guide/server/compliance.
  3. This must be backported to 12.0.x, so I would rather rebase this PR on 12.0.x and then merge forward.

jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCompliance.java Outdated Show resolved Hide resolved
jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCompliance.java Outdated Show resolved Hide resolved
@gregw
Enhance HTTP Compliance CRLF modes
a95a84b 
Added modes to allow strict requirement for CRLF termination of headers and/or chunks
Updates from review
@gregw
Copy link
Contributor Author

gregw commented Nov 26, 2024

  1. What happens now if we have a request with mixed EOL, e.g. some are just \n, and some \r\n, still good and we have tests?

If configured to accept LF EOL, then we accept a mix of LF and CRLF. I guess we could have a semi strict mode that once you see a LF then any CRLF is an error... but that's not what the RFC says. If you want to be strict, then just accept CRLF only.

  1. Please update the documentation about the compliance, defaulting to 9110 where now is 7230 in programming-guide/server/compliance.

Done.

  1. This must be backported to 12.0.x, so I would rather rebase this PR on 12.0.x and then merge forward.

I'm not sure we need to backport. There is no actual issue with jetty here and this is just tightening the compliance as a future proofing exercise. Let's talk offline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbordet sbordet sbordet requested changes

@joakime joakime Awaiting requested review from joakime

@lorban lorban Awaiting requested review from lorban

Assignees
No one assigned
Labels
None yet
Projects
Jetty 12.1.0
Status: 👀 In review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gregw @sbordet