httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maik Mueller <>
Subject Re: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Date Fri, 14 Feb 2003 10:53:20 GMT
Hello Graham,

GL> I overhauled mod_headers for Apache v2.0, so I am pretty confident it is
GL> a bug. I will look at it sometime this weekend.
I agree with you that breaking multiple lines with CRLF and adding HT to the
following line will fix the bug of potentially building illegal headers from
environment variables.
>> You have to do both in any case. The check itself causes the performance
>> penalty.

GL> Looking at RFC2616, I don't see any reference to a character set
GL> restriction in the headers (but I may have missed it). RFC2616 describes

GL> the field-content of a header as:

GL> <the OCTETs making up the field-value
GL> and consisting of either *TEXT or combinations
GL> of token, separators, and quoted-string>

GL> It goes on to say that leading and trailing whitespace is ignored, and
GL> whitespace interspersed in the header may be replaced with a single
GL> space character, but other than that there is no mention of any
GL> character set restrictions.
Putting arbitrary 8bit characters into headers makes me feel a bit uneasy
but I couldn't find a quote that this is forbidden.

What do you think about my proposal to add the "E" option with the described
behavior to the Header and RequestHeader directive?
Keeping in mind that HTTP 1.0 still warns:
> However, folding of header lines is not expected by some
> applications, and should not be generated by HTTP/1.0 applications.

I would be happy to see my proposal making its way in the Apache standard.

Best regards,

View raw message