httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Could/Shouldn't check_header() allow folding?
Date Wed, 04 Jan 2017 13:21:43 GMT
On Wed, Jan 4, 2017 at 6:57 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> I'm using a (third-party/closed) module which replaces newlines in
> header values (like base64 encoded PEMs) with obs-fold.
> That's probably obsolete, but not forbidden per se...

Actually, it is, c.f. 3.2.4 of RFC 7230

   [...] This specification deprecates such
   line folding except within the message/http media type
   (Section 8.3.1).  A sender MUST NOT generate a message that includes
   line folding (i.e., that has any field-value that contains a match to
   the obs-fold rule) unless the message is intended for packaging
   within the message/http media type.

> How about something like:
>
> Index: modules/http/http_filters.c
> ===================================================================
> --- modules/http/http_filters.c    (revision 1776920)
> +++ modules/http/http_filters.c    (working copy)
> @@ -701,19 +701,26 @@ static int check_header(void *arg, const char *nam
>          return 0;
>      }
>
> -    if (ctx->strict) {
> -        test = ap_scan_http_token(name);
> -    }
> -    else {
> -        test = ap_scan_vchar_obstext(name);
> -    }
> -    if (*test) {
> -        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429)
> -                      "Response header name '%s' contains invalid "
> -                      "characters, aborting request",
> -                      name);
> -        return 0;
> -    }
> +    test = name;
> +    do {
> +        if (ctx->strict) {
> +            test = ap_scan_http_token(test);
> +        }
> +        else {
> +            test = ap_scan_vchar_obstext(test);
> +        }
> +        if (*test) {
> +            if (test[0] != CR || test[1] != LF || (test[2] != ' ' &&
> +                                                   test[2] != '\t')) {
> +                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429)
> +                              "Response header name '%s' contains invalid "
> +                              "characters, aborting request",
> +                              name);
> +                return 0;
> +            }
> +            test += 3;
> +        }
> +    } while (*test);
>
>      test = ap_scan_http_field_content(val);
>      if (*test) {
> ?

-1. If we accept obs-fold from CGI, or internally within the
headers_out, we must
replace them with a single SP and conform to the spec on the wire.

Mime
View raw message