-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vert.x does not respond appropriately for HTTP/1.1 request containing no Host header #5204
Comments
NilsRenaud
added a commit
to NilsRenaud/vert.x
that referenced
this issue
May 17, 2024
An HTTP/1.1 message MUST be rejected with an HTTP 400 error code when no Host header is present. See https://datatracker.ietf.org/doc/html/rfc9112#section-3.2 See eclipse-vertx#5204 for details. Signed-off-by: Nils Renaud <[email protected]>
I do have mixed feelings about this change because it might break applications although that is the proper way to according to HTTP. Perhaps this could be achieved in vertx-web instead of vertx-core |
e.g. in if (path == null || path.isEmpty()) {
// HTTP paths must start with a '/'
fail(400);
} else if (path.charAt(0) != '/') {
// For compatiblity we return `Not Found` when a path does not start with `/`
fail(404);
} I believe we should improve this and have this done in this project instead |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version
4.5.7
Context
An error occurred while processing an HTTP/1.1 request with no Host header. The error occurred because we didn't expect the
authority()
to be non-null (and hadn't properly checked):We've fixed this in our application, but were surprised that Vert.x doesn't handle validation of an HTTP/1.1 request with no Host header, especially as the spec RFC9112 indicates that servers should respond with a 400 BadRequest response:
Do you have a reproducer?
Not at the moment but can do so if
Steps to reproduce
We used telnet to fire a request with no Host. Note though that our application reads the
authority()
(trying to align HTTP/1.1 and HTTP/2 requests):Extra
This looks like the likely spot for handling such an error: HttpServerRequest#DEFAULT_INVALID_REQUEST_HANDLER. This would be in collaboration with the connection first checking for a Host header and creating its own
UnknownHostException
if none present.The text was updated successfully, but these errors were encountered: