httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Blackman <>
Subject Re: [Discuss] Rolling a 'final' 2.2.33 release
Date Sun, 25 Jun 2017 21:56:03 GMT

> On 14 Jun 2017, at 22:12, William A Rowe Jr <> wrote:
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.

Would it be an option to get a fix in for the single-character header bug? (
<> ) 

If you add

HttpProtocolOptions Unsafe LenientMethods Allow0.9

to a default httpd.conf

single character header lines are rejected with a 400 code.

macmini:httpd-2.2.33 mark$ telnet localhost 8033
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
Host: foobar
x: 0

HTTP/1.1 400 Bad Request
Date: Sun, 25 Jun 2017 21:43:53 GMT
Server: Apache/2.2.33 (Unix)
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Connection closed by foreign host.

View raw message