httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 60783] HttpProtocolOptions Directive' option Unsafe does not allow legacy request formats
Date Wed, 13 Sep 2017 14:25:26 GMT

William A. Rowe Jr. <> changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from William A. Rowe Jr. <> ---
See 3.2.4 paragraph 2 of - we have no
choice but to reject whitespace in the header prior to the ':' delimiter,
irrespective of configuration.

W.R.T. tabs in the request line, I proposed such a tweak and was overruled by
the development team; the spec has always called for SP and only single SP
characters since day one of HTTP, so there's no particular reason for an HTTP
server to recognize anything else.

The reason for strictly returning 400 responses, is to ensure we do not
propagate a bad request to an unsuspecting back-end origin server, or fulfill
the request of a too-trusting-but-faulty proxy client.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message