httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 61220] single character headers are rejected with code 400 in unsafe mode
Date Tue, 27 Jun 2017 22:13:34 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=61220

--- Comment #7 from William A. Rowe Jr. <wrowe@apache.org> ---
(In reply to William A. Rowe Jr. from comment #6)
> > things like "   : 0" return 200
> 
> As the first line, yes, in subsequent lines it is a continuation of the
> previous header line.

Retesting, I was wrong. The first line " x-y: test" or simply " :" the leading
space results in a 400 response, in both strict and unsafe modes, as expected,
since the 2.2.32 / 2.4.25 releases.

What you thought in subsequent lines was a header line was not; it was a
continuation of the previous header line (they are merged, you will see that
colon appended to the header field named in the previous line.)

E.g.
Host:localhost
 :test
results in a Host header value "localhost :test"

That's called an obs-fold and is permitted by design.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message