[Bug 61120] New: Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61120] New: Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

            Bug ID: 61120
           Summary: Tomcat 8.5.15 with HTTP/2: URL path parameters lost
           Product: Tomcat 8
           Version: 8.5.15
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ----

When using Tomcat 8.5.15 with HTTP/2 all URL path parameters gets lost.

In some cases, session tracking is done via URL (yes, I know, doing that is bad
;)). Using the HTTP/2 protocol, the URL contains the "jsessionid" parameter,
but Tomcat creates a new session. It seems, the session ID never reaches the
session manager.

I configured a connector using NIO2 in combination with Http2Protocol:


<Connector
  port="8444"
  protocol="org.apache.coyote.http11.Http11Nio2Protocol"
 
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
  SSLEnabled="true"
  scheme="https"
  secure="true"
  sslProtocol="TLS"
  [...]>
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>


Using the same connector without <UpgradeProtocol> everything is okay.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

Markus Dörschmidt <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

Mark Thomas <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <[hidden email]> ---
Thanks for the report.

This has been fixed in:
- 9.0.x for 9.0.0.M22
- 8.5.x for 8.5.16

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61120

--- Comment #2 from Mark Thomas <[hidden email]> ---
This is CVE-2017-7675.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...