Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id BDAE7200B6E for ; Sun, 21 Aug 2016 18:50:19 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id BC23F160AAA; Sun, 21 Aug 2016 16:50:19 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DB4F4160A8E for ; Sun, 21 Aug 2016 18:50:18 +0200 (CEST) Received: (qmail 92651 invoked by uid 500); 21 Aug 2016 16:50:18 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 92642 invoked by uid 99); 21 Aug 2016 16:50:18 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 21 Aug 2016 16:50:18 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 95A38C0A0B for ; Sun, 21 Aug 2016 16:50:17 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.481 X-Spam-Level: X-Spam-Status: No, score=0.481 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.519] autolearn=disabled Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id c1hlZEe4aaXq for ; Sun, 21 Aug 2016 16:50:16 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTP id 0679D5F479 for ; Sun, 21 Aug 2016 16:50:16 +0000 (UTC) Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 07089E0115 for ; Sun, 21 Aug 2016 16:50:14 +0000 (UTC) Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id C5B6B3A0290 for ; Sun, 21 Aug 2016 16:50:14 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1757065 - /httpd/httpd/trunk/server/protocol.c Date: Sun, 21 Aug 2016 16:50:14 -0000 To: cvs@httpd.apache.org From: wrowe@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20160821165014.C5B6B3A0290@svn01-us-west.apache.org> archived-at: Sun, 21 Aug 2016 16:50:19 -0000 Author: wrowe Date: Sun Aug 21 16:50:14 2016 New Revision: 1757065 URL: http://svn.apache.org/viewvc?rev=1757065&view=rev Log: As commented, ensure we don't flag a request as a rejected 0.9 request if we identified any other parsing errors and handle all 0.9 request errors as 400 BAD REQUEST, presuming HTTP/1.0 to deliver the error details. Do not report 0.9 issues as 505 INVALID PROTOCOL because the client apparently specified no protocol, and 505 post-dates the simple HTTP request mechanism. Modified: httpd/httpd/trunk/server/protocol.c Modified: httpd/httpd/trunk/server/protocol.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?rev=1757065&r1=1757064&r2=1757065&view=diff ============================================================================== --- httpd/httpd/trunk/server/protocol.c (original) +++ httpd/httpd/trunk/server/protocol.c Sun Aug 21 16:50:14 2016 @@ -573,7 +573,8 @@ static int read_request_line(request_rec { enum { rrl_none, rrl_badmethod, rrl_badwhitespace, rrl_excesswhitespace, - rrl_missinguri, rrl_baduri, rrl_badprotocol, rrl_trailingtext + rrl_missinguri, rrl_baduri, rrl_badprotocol, rrl_trailingtext, + rrl_badmethod09, rrl_reject09 } deferred_error = rrl_none; char *ll; char *uri; @@ -766,25 +767,11 @@ rrl_done: ap_parse_uri(r, uri); - if (r->proto_num == HTTP_VERSION(0, 9)) { - if (conf->http09_enable == AP_HTTP09_DISABLE - && deferred_error == rrl_none) { - /* If we deny 0.9, send error message with 1.x behavior */ - r->assbackwards = 0; - r->connection->keepalive = AP_CONN_CLOSE; - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02401) - "HTTP Request Line; Rejected HTTP/0.9 request"); - r->status = HTTP_VERSION_NOT_SUPPORTED; - return 0; - } - if (strict && strcmp(r->method, "GET") && deferred_error == rrl_none) { - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03444) - "HTTP Request Line; Invalid method token: '%.*s'" - " (only GET is allowed for HTTP/0.9 requests)", - field_name_len(r->method), r->method); - r->status = HTTP_BAD_REQUEST; - return 0; - } + if (r->proto_num == HTTP_VERSION(0, 9) && deferred_error == rrl_none) { + if (conf->http09_enable == AP_HTTP09_DISABLE) + deferred_error = rrl_reject09; + else if (strict && strcmp(r->method, "GET")) + deferred_error = rrl_badmethod09; } if (deferred_error != rrl_none) { @@ -792,6 +779,11 @@ rrl_done: ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03445) "HTTP Request Line; Invalid method token: '%.*s'", field_name_len(r->method), r->method); + else if (deferred_error == rrl_badmethod09) + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03444) + "HTTP Request Line; Invalid method token: '%.*s'" + " (only GET is allowed for HTTP/0.9 requests)", + field_name_len(r->method), r->method); else if (deferred_error == rrl_missinguri) ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(03446) "HTTP Request Line; Missing URI"); @@ -811,11 +803,25 @@ rrl_done: "HTTP Request Line; Extraneous text found '%.*s' " "(perhaps whitespace was injected?)", field_name_len(ll), ll); - else if (deferred_error == rrl_badprotocol) { + else if (deferred_error == rrl_reject09) + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02401) + "HTTP Request Line; Rejected HTTP/0.9 request"); + else if (deferred_error == rrl_badprotocol) ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02418) "HTTP Request Line; Unrecognized protocol '%.*s' " "(perhaps whitespace was injected?)", field_name_len(r->protocol), r->protocol); + if (r->proto_num == HTTP_VERSION(0, 9)) { + /* Send all parsing and protocol error response with 1.x behavior + * and reserve 505 errors for actual HTTP protocols presented. + * As called out in RFC7230 3.5, any errors parsing the protocol + * from the request line are nearly always misencoded HTTP/1.x + * requests. Only a valid 0.9 request with no parsing errors + * at all should be treated as a simple request, when allowed. + */ + r->assbackwards = 0; + r->connection->keepalive = AP_CONN_CLOSE; + r->proto_num = HTTP_VERSION(1, 0); r->protocol = "HTTP/1.0"; } r->status = HTTP_BAD_REQUEST;