httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Header with trailing space in field name passed to CGI script
Date Tue, 14 Apr 2015 09:21:46 GMT
On Tue, 2015-04-14 at 11:48 +0400, George Chelidze wrote:

> It looks reasonable to me as well, however there are two things:
> 
> 1. according to http://tools.ietf.org/html/rfc7230#section-3.2.4, we have:
> 
>     No whitespace is allowed between the header field-name and colon.  In
>     the past, differences in the handling of such whitespace have led to
>     security vulnerabilities in request routing and response handling.  A
>     server MUST reject any received request message that contains
>     whitespace between a header field-name and colon with a response code
>     of 400 (Bad Request).  A proxy MUST remove any such whitespace from a
>     response message before forwarding the message downstream.

Damn, I'm getting behind with my RFCs.  Yes, that seems to support
your position, though it's not entirely clear whether the server
or proxy rules should apply (the CGI script is the origin server
and never receives the whitespace, while HTTPD's role is as a proxy
between the HTTP and CGI protocols).

> 2. according to the http://httpd.apache.org/docs/2.4/env.html, the 
> header should be dropped:

No, that's talking about invalid characters within a header.
Not the same as trailing whitespace being stripped.

> I'll try to explain what seems to be an issue for me:

That seems to me pretty clearly a defect in GGSN, whose header
it is that's affected.

> X-MSISDN : 123456
> 
> GGSN will ignore this "header" as it's not a valid HTTP header

Yet it MUST return 400 (if we accept that rule applies to HTTPD
then it applies equally to $other-agent), and is creating a
defect for itself.  Whoops!

Have you test-driven any other web server or proxy software with this?

-- 
Nick Kew


Mime
View raw message