[Bug 60863] New: Apache proxy 2.4.25 can disable header check (Set-Cookie)

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 60863] New: Apache proxy 2.4.25 can disable header check (Set-Cookie)

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

            Bug ID: 60863
           Summary: Apache proxy 2.4.25 can disable header check
                    (Set-Cookie)
           Product: Apache httpd-2
           Version: 2.4.25
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Using Apache proxy.

Since Apache Proxy 2.4.25 control Headers some sites became unreachable due to
incorrect Cookie syntax.

I have to return to previous 2.4.20

The error is related to \x01 invalid character :

AH02430: Response header 'Set-Cookie' value of '___utmvaXEuDsBI=UxE\x01hXDj;
path=/; Max-Age=900' contains invalid characters, aborting request

The following url (most of them operated by incapdns.net return this error)

http://www.cision.com
23gwg.x.incapdns.net.
107.154.115.114

http://academie-air-espace.com
185.11.125.199
149.126.77.65

http://www.defense.gouv.fr
yookd.x.incapdns.net.
107.154.115.47

http://www.bizjournals.com
ddc7y.x.incapdns.net.
107.154.115.27

http://correlatedsolutions.com
107.154.105.8
107.154.106.8

The Directive
ProxyBadHeader          Ignore

do not solve theses issues.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy 2.4.25 can disable header check (Set-Cookie)

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

--- Comment #1 from Luca Toscano <[hidden email]> ---
Hi Christian,

this is probably due to
https://httpd.apache.org/docs/current/mod/core.html#httpprotocoloptions, can
you try to set "HttpProtocolOptions Unsafe" ?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy 2.4.25 can disable header check (Set-Cookie)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

--- Comment #2 from Luca Toscano <[hidden email]> ---
The documentation talks about "Request" but I quickly checked the code (not
authoritative answer to don't quote me on this) and the new checks seems to be
enforced for the response too.

Where does the header come from (curiosity)?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy 2.4.25 can disable header check (Set-Cookie)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

--- Comment #3 from Luca Toscano <[hidden email]> ---
Hi Christian, any update?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy 2.4.25 can disable header check (Set-Cookie)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

Thomas Jarosch <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
                   |                            |m

--- Comment #4 from Thomas Jarosch <[hidden email]> ---
after upgrading to httpd 2.4.25, I get the same "500 Internal server error".

The website pollin.de produces this error log:

Response header 'Set-Cookie' value of '___utmvaXIucook=DjJx01cqlU; path=/;
Max-Age=900' contains invalid characters


-> I'll try the suggested "HttpProtocolOptions unsafe" workaround at the
beginning of next week.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy 2.4.25 can disable header check (Set-Cookie)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

--- Comment #5 from Bjoern Voigt <[hidden email]> ---
"HttpProtocolOptions unsafe" did not help in my case.

Tested site: http://www.egyptindependent.com/
Apache version: 2.4.49
Environment: openSUSE Tumbleweed 20180318 x86_64

The error message is

[Wed Mar 21 12:56:12.843109 2018] [http:error] [pid 16291] [client
127.0.0.1:54552] AH02430: Response header 'Set-Cookie' value of
'___utmvazVukktoB=Qhz\x01CTqM; path=/; Max-Age=900' contains invalid
characters, aborting request

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy 2.4.25 can disable header check (Set-Cookie)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

Bjoern Voigt <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy cannot ignore response header validation

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

Eric Covener <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Apache proxy 2.4.25 can     |Apache proxy cannot ignore
                   |disable header check        |response header validation
                   |(Set-Cookie)                |
           Severity|normal                      |enhancement

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy cannot ignore response header validation

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

--- Comment #6 from Eric Covener <[hidden email]> ---
I renamed and reclassified, Some way to strip/replace would be nice, I am
unsure if we want to provide an option to pass them through.   Invalid is
invalid.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60863] Apache proxy cannot ignore response header validation

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863

--- Comment #7 from Christian PĂ©lissier <[hidden email]> ---
Here are the solution for 2.4.25 and later

# Sites with SOH inside the cookie (incapsula.com)
# www.cision.com, www.bizjournals.com, correlatedsolutions.com
# academie-air-espace.com, www.defense.gouv.fr
# Suppresion du caractere SOH \001 ou \x01 invalide dans un cookie
Header edit Set-Cookie ___utmv(.*)=(.*)\001([^;]*;)(.*) ___utmv$1=$2$3;$4

# Sites avec headers syntaxiquement incorrects comme :
# http://technopress.kaist.ac.kr/
Header unset 'Pragma :'
Header unset 'P3P :'
# http://www.anrt.asso.fr/
Header unset 'Expires :'

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]