jetty.project icon indicating copy to clipboard operation
jetty.project copied to clipboard

Published 20 hours ago verified publisher icon jetty

Request Authority checks needed

Open joakime opened this issue 1 year ago • 0 comments
trafficstars

Jetty version(s) 12.0.12

Jetty Environment Any

Java version/vendor (use: java -version) Any

OS type/version Any

Description In light of the changes to HttpCompliance in the AuthorityCustomizer PR #12066 it was determined that the request authority checks should occur after the Customizers run, not before.

This would hopefully catch things like missing authority, bad authorities, blank authorities, mismatched authorities.

The various specs and their statements on request authority for us to base this on ...

  • https://datatracker.ietf.org/doc/html/rfc9110#name-host-and-authority
  • https://datatracker.ietf.org/doc/html/rfc9110#name-establishing-authority
  • https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.3
  • https://datatracker.ietf.org/doc/html/rfc7540#section-8.3
  • https://datatracker.ietf.org/doc/html/rfc7540#section-10.1

We should also be aware of authority changes outside of the HTTP protocol (like from Forwarded headers)

joakime avatar Jul 30 '24 15:07 joakime