httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: svn commit: r1426877 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c server/util.c server/vhost.c
Date Sun, 30 Dec 2012 06:04:55 GMT
Hi Stefan,

Thanks for this work, but I don't consider HTTP conformance to be
an option.  These are checks we should be making while parsing
the received message, not as a separate pass, and in many cases
they are required to result in a 400, 500, or 502 response.

I am trying to get HTTPbis ready for last call this week.
After that, I will be looking into making the changes in httpd,
and I won't be using a configurable option.  I suggest we just
remove that part and iterate on these checks as we go.

The current HTTP/1.1 drafts are at

  http://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/

and the message parsing requirements are in p1-messaging.html

BTW, the protocol version is now restricted to uppercase and
one digit per major and minor, so we can simplify that check
to a very specific "HTTP/[0-9].[0-9]".

And, yes, it is possible to have a valid empty Host because
HTTP can be used with a proxy for any URI (including URNs).

....Roy

On Dec 29, 2012, at 5:23 PM, sf@apache.org wrote:

> Author: sf
> Date: Sun Dec 30 01:23:24 2012
> New Revision: 1426877
> 
> URL: http://svn.apache.org/viewvc?rev=1426877&view=rev
> Log:
> Add an option to enforce stricter HTTP conformance
> 
> This is a first stab, the checks will likely have to be revised.
> For now, we check
> 
> * if the request line contains control characters
> * if the request uri has fragment or username/password
> * that the request method is standard or registered with RegisterHttpMethod
> * that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
>   or missing for 0.9
> * if there is garbage in the request line after the protocol
> * if any request header contains control characters
> * if any request header has an empty name
> * for the host name in the URL or Host header:
>   - if an IPv4 dotted decimal address: Reject octal or hex values, require
>     exactly four parts
>   - if a DNS host name: Reject non-alphanumeric characters besides '.' and
>     '-'. As a side effect, this rejects multiple Host headers.
> * if any response header contains control characters
> * if any response header has an empty name
> * that the Location response header (if present) has a valid scheme and is
>   absolute
> 
> If we have a host name both from the URL and the Host header, we replace the
> Host header with the value from the URL to enforce RFC conformance.
> 
> There is a log-only mode, but the loglevels of the logged messages need some
> thought/work. Currently, the  checks for incoming data log for 'core' and the
> checks for outgoing data log for 'http'. Maybe we need a way to configure the
> loglevels separately from the core/http loglevels.



Mime
View raw message