httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: svn commit: r1754548 - /httpd/httpd/trunk/server/protocol.c
Date Thu, 18 Aug 2016 20:45:22 GMT
On Thu, Aug 18, 2016 at 5:00 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

> Just FWIW, this still is not fixed for the legacy header parser.
>
> It *is* now fixed for the HTTP Request Line parser. Relaxing the
> whitespace rule (as we still do by default) only lets 1+ SP/HTAB
> slip through, and then recomposes with single SP delimiters.
>
> Of the subset \f \r \v \n I can't think of any possible application.
> Whitespace of ' ' and \t makes (some) sense in the real world.
> If anyone has a real-world example of a user-agent which used
> these legitimately, I'd love a pointer.
>

Committed in 1756847, either Strict or StrictWhitespace will reject
these quirks, Unsafe and LenientWhitespace together are required
to continue to handle such headers, and never permitted for the
request line itself.

Mime
View raw message