httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 54367] New: Location header in response to PUT is not %-escaped
Date Wed, 02 Jan 2013 23:18:19 GMT

            Bug ID: 54367
           Summary: Location header in response to PUT is not %-escaped
           Product: Apache httpd-2
           Version: 2.4.3
          Hardware: Macintosh
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_dav
    Classification: Unclassified

The DAV PUT method returns the location of the newly created resource in the
Location: header of the response (RFC2616 14.30; RFC4918 13.1). However, Apache
does not quote the contents of the newly created path segments when
constructing the new Location: URL (RFC3986 2.4). This means that the response
can be incorrect if the underlying resource name contains octet-sequences that
are significant in URLs (such as "#" or "?") or in the HTTP protocol (such as
CRLF) or both (whitespace, etc).

Here's an example of a request and response using httpd 2.4.3 on an OS X
machine (httpd 2.2.x has the same behavior):


PUT /pdav/test%23file HTTP/1.1
Content-Length: 8
Host: localhost



HTTP/1.1 201 Created
Date: Wed, 02 Jan 2013 22:40:00 GMT
Server: Apache/2.4.3 (Unix) OpenSSL/1.0.0j
Location: http://localhost/pdav/test#file
Content-Length: 71
Content-Type: text/html; charset=ISO-8859-1

<title>Connection closed by foreign host.

The file is correctly created in the filesystem as "test#file", but the
Location: header in the response is incorrect.

PUTting to a URL such as ".../davcoll/foo%0A%0DBar:%20blahblah" may be a way to
perform a response splitting attack (a la

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message