61120 – Tomcat 8.5.15 with HTTP/2: URL path parameters lost
Bug 61120 - Tomcat 8.5.15 with HTTP/2: URL path parameters lost
Summary: Tomcat 8.5.15 with HTTP/2: URL path parameters lost
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.15
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-24 13:59 UTC by Markus Dörschmidt
Modified: 2020-04-28 15:18 UTC (History)
1 user (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Dörschmidt 2017-05-24 13:59:03 UTC 
When using Tomcat 8.5.15 with HTTP/2 all URL path parameters gets lost.

In some cases, session tracking is done via URL (yes, I know, doing that is bad ;)). Using the HTTP/2 protocol, the URL contains the "jsessionid" parameter, but Tomcat creates a new session. It seems, the session ID never reaches the session manager.

I configured a connector using NIO2 in combination with Http2Protocol:


<Connector
  port="8444"
  protocol="org.apache.coyote.http11.Http11Nio2Protocol"
  sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
  SSLEnabled="true"
  scheme="https"
  secure="true"
  sslProtocol="TLS"
  [...]>
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>


Using the same connector without <UpgradeProtocol> everything is okay.
Comment 1 Mark Thomas 2017-05-24 20:16:02 UTC 
Thanks for the report.

This has been fixed in:
- 9.0.x for 9.0.0.M22
- 8.5.x for 8.5.16
Comment 2 Mark Thomas 2017-08-10 22:06:02 UTC 
This is CVE-2017-7675.