httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49416] New: Access log bypass and missing HTTP headers
Date Wed, 09 Jun 2010 15:22:21 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49416

           Summary: Access log bypass and missing HTTP headers
           Product: Apache httpd-2
           Version: 2.2.12
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: floyd_fuh@yahoo.de


Created an attachment (id=25569)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25569)
Example for null character in URL and missing response headers

When sending the ASCII control character null (hexadecimal 00) in a URI, apache
does return a HTTP entity (the HTML code), but no HTTP headers. Additionally
the URI is truncated (the null and everything after it is missing).

If you have a local apache running, try this python script (you need to have a
index.html or index.php in your root directory):

import urllib2
print 'Valid request:'
print urllib2.urlopen('http://localhost/?abc=123&def=456_VALID').read()
print ''
print 'Invalid request:'
print
urllib2.urlopen('http://localhost/?abc=123'+chr(0)+'&def=456_INVALID').read()

The apache access.log will look like this:

::1 - - [09/Jun/2010:16:44:41 +0200] "GET /?abc=123&def=456_VALID HTTP/1.1" 200
321 "-" "Python-urllib/2.6"
::1 - - [09/Jun/2010:16:44:41 +0200] "GET /?abc=123" 200 94 "-" "-"

As you can see in the appended wireshark (libpcap), the headers for the second
response are missing!

It works on remote (not localhost) apache servers as well.

cheers 
floyd

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message