You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An error occurred while processing an HTTP/1.1 request with no Host header. The error occurred because we didn't expect the authority() to be non-null (and hadn't properly checked):
java.lang.NullPointerException: Cannot invoke "io.vertx.rxjava3.core.net.HostAndPort.host()" because the return value of "io.vertx.rxjava3.core.http.HttpServerRequest.authority()" is null
We've fixed this in our application, but were surprised that Vert.x doesn't handle validation of an HTTP/1.1 request with no Host header, especially as the spec RFC9112 indicates that servers should respond with a 400 BadRequest response:
A client MUST send a Host header field (Section 7.2 of [HTTP]) in all HTTP/1.1 request messages. If the target URI includes an authority component, then a client MUST send a field value for Host that is identical to that authority component, excluding any userinfo subcomponent and its "@" delimiter (Section 4.2 of [HTTP]). If the authority component is missing or undefined for the target URI, then a client MUST send a Host header field with an empty field value.
A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field line or a Host header field with an invalid field value.
Do you have a reproducer?
Not at the moment but can do so if
Steps to reproduce
We used telnet to fire a request with no Host. Note though that our application reads the authority() (trying to align HTTP/1.1 and HTTP/2 requests):
$ telnet ig.example.com 8083
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET /hello HTTP/1.1
HTTP/1.1 500 Internal Server Error
Content-Length: 0
Extra
This looks like the likely spot for handling such an error: HttpServerRequest#DEFAULT_INVALID_REQUEST_HANDLER. This would be in collaboration with the connection first checking for a Host header and creating its own UnknownHostException if none present.
The text was updated successfully, but these errors were encountered:
I do have mixed feelings about this change because it might break applications although that is the proper way to according to HTTP. Perhaps this could be achieved in vertx-web instead of vertx-core
e.g. in RoutingContextImpl we already have some checks here:
if (path == null || path.isEmpty()) {
// HTTP paths must start with a '/'fail(400);
} elseif (path.charAt(0) != '/') {
// For compatiblity we return `Not Found` when a path does not start with `/`fail(404);
}
I believe we should improve this and have this done in this project instead
Version
4.5.7
Context
An error occurred while processing an HTTP/1.1 request with no Host header. The error occurred because we didn't expect the
authority()
to be non-null (and hadn't properly checked):We've fixed this in our application, but were surprised that Vert.x doesn't handle validation of an HTTP/1.1 request with no Host header, especially as the spec RFC9112 indicates that servers should respond with a 400 BadRequest response:
Do you have a reproducer?
Not at the moment but can do so if
Steps to reproduce
We used telnet to fire a request with no Host. Note though that our application reads the
authority()
(trying to align HTTP/1.1 and HTTP/2 requests):Extra
This looks like the likely spot for handling such an error: HttpServerRequest#DEFAULT_INVALID_REQUEST_HANDLER. This would be in collaboration with the connection first checking for a Host header and creating its own
UnknownHostException
if none present.The text was updated successfully, but these errors were encountered: