Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance HTTP Compliance CRLF modes #12564

Merged
merged 3 commits into from
Nov 28, 2024
Merged

Enhance HTTP Compliance CRLF modes #12564

merged 3 commits into from
Nov 28, 2024

Conversation

gregw
Copy link
Contributor

@gregw gregw commented Nov 22, 2024

Added modes to allow strict requirement for CRLF termination of headers and/or chunks

@gregw
Enhance HTTP Compliance CRLF modes
d1d37b8 
Added modes to allow strict requirement for CRLF termination of headers and/or chunks
@gregw gregw requested review from lorban and joakime and removed request for lorban November 22, 2024 23:20
@gregw
Enhance HTTP Compliance CRLF modes
506042a 
Added modes to allow strict requirement for CRLF termination of headers and/or chunks
sbordet
sbordet requested changes Nov 25, 2024
View reviewed changes
Copy link
Contributor

@sbordet sbordet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. What happens now if we have a request with mixed EOL, e.g. some are just \n, and some \r\n, still good and we have tests?
  2. Please update the documentation about the compliance, defaulting to 9110 where now is 7230 in programming-guide/server/compliance.
  3. This must be backported to 12.0.x, so I would rather rebase this PR on 12.0.x and then merge forward.

jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCompliance.java Outdated Show resolved Hide resolved
jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCompliance.java Outdated Show resolved Hide resolved
@gregw
Enhance HTTP Compliance CRLF modes
a95a84b 
Added modes to allow strict requirement for CRLF termination of headers and/or chunks
Updates from review
@gregw
Copy link
Contributor Author

gregw commented Nov 26, 2024

  1. What happens now if we have a request with mixed EOL, e.g. some are just \n, and some \r\n, still good and we have tests?

If configured to accept LF EOL, then we accept a mix of LF and CRLF. I guess we could have a semi strict mode that once you see a LF then any CRLF is an error... but that's not what the RFC says. If you want to be strict, then just accept CRLF only.

  1. Please update the documentation about the compliance, defaulting to 9110 where now is 7230 in programming-guide/server/compliance.

Done.

  1. This must be backported to 12.0.x, so I would rather rebase this PR on 12.0.x and then merge forward.

I'm not sure we need to backport. There is no actual issue with jetty here and this is just tightening the compliance as a future proofing exercise. Let's talk offline.

@gregw gregw requested a review from sbordet November 27, 2024 20:57
@gregw gregw merged commit 4cef69c into jetty-12.1.x Nov 28, 2024
10 checks passed
@gregw gregw deleted the fix/strictCRLFComplianceMode branch November 28, 2024 22:16
@olamy olamy mentioned this pull request Jan 31, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbordet sbordet sbordet approved these changes

@joakime joakime Awaiting requested review from joakime

@lorban lorban Awaiting requested review from lorban

Assignees
No one assigned
Labels
None yet
Projects
Jetty 12.1.0
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gregw @sbordet