Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 366774

Summary: NumberFormatException caused by malformed "Host" request header
Product: [RT] Jetty Reporter: Nesa Simon David <hellznrg>
Component: serverAssignee: Thomas Becker <tbecker>
Status: RESOLVED FIXED QA Contact:
Severity: minor    
Priority: P3 CC: gregw, jetty-inbox
Version: unspecified   
Target Milestone: 7.5.x   
Hardware: All   
OS: All   
Whiteboard:
Attachments:
Description Flags
proposed patch
none
2nd commit with the actual patch + unit test none

Description Nesa Simon David CLA 2011-12-14 20:21:01 EST
Build Identifier: All

When the "Host" request header contains a value of this form "<hostname>:" (ie. with a trailing colon and no port number), jetty throws a NumberFormatException in Request.java:1001.

Additional information: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23

Perhaps this error is due to the fact that there are sometimes 2 colon characters in the "Host" header: 1) as a delimiter separating the key from the value, and 2) as a delimiter within the value, separating the hostname and port number.

Reproducible: Always

Steps to Reproduce:
1.Create a request with a malformed "Host" header like this: "Host:someserver.com:"

2. Jetty will throw a NumberFormatException
Comment 1 Nesa Simon David CLA 2011-12-14 20:31:53 EST
It could be fixed by changing:

org.eclipse.jetty.server.Request.java:1001
_port=BufferUtil.toInt(hostPort.peek(i+1, hostPort.putIndex()-i-1));

to:

try {
  _port=BufferUtil.toInt(hostPort.peek(i+1, hostPort.putIndex()-i-1));
} catch(NumberFormatException e) {
  _port=0;
}
Comment 2 Greg Wilkins CLA 2011-12-22 00:51:33 EST
I think the server should actually do a 400 bad request response.   It is dangerous to be too accepting of things like host - specially with IPv6 addresses containing : characters.
Comment 3 Thomas Becker CLA 2012-01-06 11:50:51 EST
Created attachment 209138 [details]
proposed patch
Comment 4 Thomas Becker CLA 2012-01-06 11:52:15 EST
Created attachment 209139 [details]
2nd commit with the actual patch + unit test

Attached you find patches for two commits. The first is a code format and the second is the actual patch + unit test.

NumberFormatException is now being caught and causes jetty to return a 400 Bad Request with a meaningful message text.
Comment 5 Greg Wilkins CLA 2012-01-08 19:40:23 EST
Applied, but I modified the error message sent back to remove the XSS vulnerability.  The server should never echo back user data, as this can be used to inject evilness in devious ways.

Also, to keep the jetty footprint small, I favour short and simple error messages like "Bad Host header"