httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: svn commit: r1754548 - /httpd/httpd/trunk/server/protocol.c
Date Thu, 18 Aug 2016 10:00:54 GMT
Just FWIW, this still is not fixed for the legacy header parser.

It *is* now fixed for the HTTP Request Line parser. Relaxing the
whitespace rule (as we still do by default) only lets 1+ SP/HTAB
slip through, and then recomposes with single SP delimiters.

Of the subset \f \r \v \n I can't think of any possible application.
Whitespace of ' ' and \t makes (some) sense in the real world.
If anyone has a real-world example of a user-agent which used
these legitimately, I'd love a pointer.


On Thu, Aug 18, 2016 at 4:34 AM, Plüm, Rüdiger, Vodafone Group <
ruediger.pluem@vodafone.com> wrote:

> +1
>
> Regards
>
> Rüdiger
>
> > -----Original Message-----
> > From: Jacob Champion [mailto:champion.p@gmail.com]
> > Sent: Donnerstag, 4. August 2016 22:35
> > To: dev@httpd.apache.org
> > Subject: Re: svn commit: r1754548 - /httpd/httpd/trunk/server/protocol.c
> >
> > On 08/04/2016 01:11 PM, William A Rowe Jr wrote:
> > > At our kindest, we would like to let people keep upgrading on the 2.2
> > > or 2.4 branches of httpd for other fixes, without breaking their
> > > deployments.
> > >
> > > I'm 100% in favor of recognizing-and-rejecting (and terminating the
> > > connection) for any obs-fold occurrences on 2.6 / 3.0, if that's the
> > > group consensus.
> >
> > +1 to both.
> >
> > --Jacob
>
>

Mime
View raw message