httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kris Verbeeck <>
Subject Re: [PATCH] PR 16520 -- cache MUST NOT cache responses to Authorization requests
Date Mon, 09 Jun 2003 19:00:55 GMT
André Malo wrote:
> So, there's just one token and no place for an implied LWS. [ situation
> differs from "between any two adjacent words (token or quoted-string)" ]
>>So, as PR 16520 states:
>>    Authorization  : scheme scheme param=value
>>is a valid header and should be treated as
>>    Authorization: scheme scheme param=value
> So these are not the same headers, by my reading of the RFC. In fact the
> former is a Bad Request, since a token cannot contain WS.
> nd

I wasn't 100% sure myself whether the LWS was allowed after the header 
name...  But is reporting a bad request not a bit drastic if removing 
the LWS can make it compliant?  This will make the server more lenient 
towards malformed header names.

But one of the two (stripping LWS or blocking request) should be done 
because, IMHO, this is a serious security issue.  There are back-end 
servers (in case Apache is used as a proxy) that strip white space from 
front and end of header names.  In that case Apache and the back-end 
will see different requests (e.g. the Authorization header).


View raw message