diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index dccdf5073a4..027551b6c7a 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -409,6 +409,11 @@ public class ServerProperties { */ private Duration connectionTimeout; + /** + * Whether to reject requests with illegal header names or values. + */ + private boolean rejectIllegalHeader = true; + /** * Static resource configuration. */ @@ -560,6 +565,14 @@ public class ServerProperties { this.connectionTimeout = connectionTimeout; } + public boolean isRejectIllegalHeader() { + return this.rejectIllegalHeader; + } + + public void setRejectIllegalHeader(boolean rejectIllegalHeader) { + this.rejectIllegalHeader = rejectIllegalHeader; + } + public Resource getResource() { return this.resource; } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java index 9e44dd4bfa5..b55d2d9a66f 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizer.java @@ -117,6 +117,8 @@ public class TomcatWebServerFactoryCustomizer .to((relaxedChars) -> customizeRelaxedPathChars(factory, relaxedChars)); propertyMapper.from(tomcatProperties::getRelaxedQueryChars).as(this::joinCharacters).whenHasText() .to((relaxedChars) -> customizeRelaxedQueryChars(factory, relaxedChars)); + propertyMapper.from(tomcatProperties::isRejectIllegalHeader) + .to((rejectIllegalHeader) -> customizeRejectIllegalHeader(factory, rejectIllegalHeader)); customizeStaticResources(factory); customizeErrorReportValve(properties.getError(), factory); } @@ -192,6 +194,16 @@ public class TomcatWebServerFactoryCustomizer factory.addConnectorCustomizers((connector) -> connector.setProperty("relaxedQueryChars", relaxedChars)); } + private void customizeRejectIllegalHeader(ConfigurableTomcatWebServerFactory factory, boolean rejectIllegalHeader) { + factory.addConnectorCustomizers((connector) -> { + ProtocolHandler handler = connector.getProtocolHandler(); + if (handler instanceof AbstractHttp11Protocol) { + AbstractHttp11Protocol protocol = (AbstractHttp11Protocol) handler; + protocol.setRejectIllegalHeader(rejectIllegalHeader); + } + }); + } + private String joinCharacters(List content) { return content.stream().map(String::valueOf).collect(Collectors.joining()); } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java index 7f1ffd735a2..6234688ebc5 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/ServerPropertiesTests.java @@ -130,6 +130,7 @@ class ServerPropertiesTests { map.put("server.tomcat.remoteip.protocol-header", "X-Forwarded-Protocol"); map.put("server.tomcat.remoteip.remote-ip-header", "Remote-Ip"); map.put("server.tomcat.remoteip.internal-proxies", "10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"); + map.put("server.tomcat.reject-illegal-header", "false"); map.put("server.tomcat.background-processor-delay", "10"); map.put("server.tomcat.relaxed-path-chars", "|,<"); map.put("server.tomcat.relaxed-query-chars", "^ , | "); @@ -152,6 +153,7 @@ class ServerPropertiesTests { assertThat(tomcat.getRemoteip().getRemoteIpHeader()).isEqualTo("Remote-Ip"); assertThat(tomcat.getRemoteip().getProtocolHeader()).isEqualTo("X-Forwarded-Protocol"); assertThat(tomcat.getRemoteip().getInternalProxies()).isEqualTo("10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"); + assertThat(tomcat.isRejectIllegalHeader()).isFalse(); assertThat(tomcat.getBackgroundProcessorDelay()).hasSeconds(10); assertThat(tomcat.getRelaxedPathChars()).containsExactly('|', '<'); assertThat(tomcat.getRelaxedQueryChars()).containsExactly('^', '|'); @@ -405,6 +407,12 @@ class ServerPropertiesTests { .isEqualTo(new RemoteIpValve().getInternalProxies()); } + @Test + void tomcatRejectIllegalHeaderMatchesProtocolDefault() throws Exception { + assertThat(getDefaultProtocol()).hasFieldOrPropertyWithValue("rejectIllegalHeader", + this.properties.getTomcat().isRejectIllegalHeader()); + } + @Test void tomcatUseRelativeRedirectsDefaultsToFalse() { assertThat(this.properties.getTomcat().isUseRelativeRedirects()).isFalse(); diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java index 6a3742a1722..80e5f8fa561 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java @@ -320,6 +320,14 @@ class TomcatWebServerFactoryCustomizerTests { assertThat(factory.getEngineValves()).isEmpty(); } + @Test + void testCustomizeRejectIllegalHeader() { + bind("server.tomcat.reject-illegal-header=false"); + customizeAndRunServer((server) -> assertThat( + ((AbstractHttp11Protocol) server.getTomcat().getConnector().getProtocolHandler()) + .getRejectIllegalHeader()).isFalse()); + } + @Test void errorReportValveIsConfiguredToNotReportStackTraces() { TomcatWebServer server = customizeAndGetServer();