Apache 2.2.32 request header parsing and RFC7230 compliance

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache 2.2.32 request header parsing and RFC7230 compliance

Joao Costa
RFC7230 section 3.2.6 (https://tools.ietf.org/html/rfc7230#section-3.2.6 ) defines a HTTP header field as:

     header-field   = field-name ":" OWS field-value OWS
     field-name     = token
and
     token          = 1*tchar
     tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                    / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                    / DIGIT / ALPHA
                    ; any VCHAR, except delimiters




I believe Apache 2.2.32 fails to comply with the above definition for a single character request header. Apache 2.4.25 on the other hand accepts these requests just fine.

------------------------------------------------
GET / HTTP/1.1
Host: dw00043.dweb.intranet.db.com
t: testalpha

------------------------------------------------

------------------------------------------------
GET / HTTP/1.1
Host: dw00043.dweb.intranet.db.com
0: testnum

------------------------------------------------


Is this a bug, and is there a chance of fixing it in 2.2.32 ?


---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Please refer to https://www.db.com/disclosures for additional EU corporate and regulatory disclosures and to http://www.db.com/unitedkingdom/content/privacy.htm for information about privacy.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.2.32 request header parsing and RFC7230 compliance

Eric Covener
On Mon, May 22, 2017 at 4:34 AM, Joao Costa <[hidden email]> wrote:
> Is this a bug, and is there a chance of fixing it in 2.2.32 ?


Not failing for me:

$ printf "GET / HTTP/1.1\r\nHost: foo\r\n0:x\r\n\r\n" | nc 0 80
HTTP/1.1 200 OK
Date: Thu, 01 Jun 2017 13:08:46 GMT
Server: Apache/2.2.33-dev (Unix) DAV/2 mod_ssl/2.2.33-dev OpenSSL/1.0.2g
Last-Modified: Wed, 21 Dec 2016 02:42:39 GMT
ETag: "82aac2-62-544221b37fba1"
Accept-Ranges: bytes
Content-Length: 98
Content-Type: text/html

<html><body><h1>It works!</h1>
<iframe src="http://localhost/what.html"></iframe>
</body></html>

What gets logged for you?

--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]