Community
Participate
Working Groups
Build Identifier: All When the "Host" request header contains a value of this form "<hostname>:" (ie. with a trailing colon and no port number), jetty throws a NumberFormatException in Request.java:1001. Additional information: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23 Perhaps this error is due to the fact that there are sometimes 2 colon characters in the "Host" header: 1) as a delimiter separating the key from the value, and 2) as a delimiter within the value, separating the hostname and port number. Reproducible: Always Steps to Reproduce: 1.Create a request with a malformed "Host" header like this: "Host:someserver.com:" 2. Jetty will throw a NumberFormatException
It could be fixed by changing: org.eclipse.jetty.server.Request.java:1001 _port=BufferUtil.toInt(hostPort.peek(i+1, hostPort.putIndex()-i-1)); to: try { _port=BufferUtil.toInt(hostPort.peek(i+1, hostPort.putIndex()-i-1)); } catch(NumberFormatException e) { _port=0; }
I think the server should actually do a 400 bad request response. It is dangerous to be too accepting of things like host - specially with IPv6 addresses containing : characters.
Created attachment 209138 [details] proposed patch
Created attachment 209139 [details] 2nd commit with the actual patch + unit test Attached you find patches for two commits. The first is a code format and the second is the actual patch + unit test. NumberFormatException is now being caught and causes jetty to return a 400 Bad Request with a meaningful message text.
Applied, but I modified the error message sent back to remove the XSS vulnerability. The server should never echo back user data, as this can be used to inject evilness in devious ways. Also, to keep the jetty footprint small, I favour short and simple error messages like "Bad Host header"
