httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 60783] HttpProtocolOptions Directive' option Unsafe does not allow legacy request formats
Date Wed, 13 Sep 2017 14:25:26 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=60783

William A. Rowe Jr. <wrowe@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from William A. Rowe Jr. <wrowe@apache.org> ---
See 3.2.4 paragraph 2 of http://www.rfc-base.org/txt/rfc-7230.txt - we have no
choice but to reject whitespace in the header prior to the ':' delimiter,
irrespective of configuration.

W.R.T. tabs in the request line, I proposed such a tweak and was overruled by
the development team; the spec has always called for SP and only single SP
characters since day one of HTTP, so there's no particular reason for an HTTP
server to recognize anything else.

The reason for strictly returning 400 responses, is to ensure we do not
propagate a bad request to an unsuspecting back-end origin server, or fulfill
the request of a too-trusting-but-faulty proxy client.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message