httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <...@apache.org>
Subject Re: Apache httpd sends "400 Bad Request" to client due to IPvFuture (RFC 3986) format IP address Hostname Host Header
Date Fri, 02 Aug 2013 20:16:09 GMT

On 2 Aug 2013, at 20:02, Rizzo, Christopher wrote:

> The Apache HTTP server is rejecting the request (with "400 Bad Request") due to this
Hostname value in the header before a registered IPP Apache module even sees it.

A quick check confirms what you say.

> Is it possible to write a hook or filter that would prevent Apache from rejecting this
request and allowing this Hostname Host Header value to pass thru, or does the Apache base
source code need to change for this?

This fairly clearly wants a patch to the core code.  Its comment suggest it's
not trying to be strict, but just to filter out characters that couldn't feature in
a Host: header (at the time the code was written) and save having to think
about security of filesystem-sensitive characters.

> and the Apache code that is logging this error appears to be fix_hostname() in ./server/vhost.c

Yep, that's the one.  Looks like the protocol you're using is NOTIMPL.

I'd suggest filing a new bug in bugzilla, referencing the protocol you
want to support and what characters/patterns should be allowed but
are currently blocked.  Best chance of getting it dealt with quickly may
be if you also supply a patch, but make sure to address the security
concerns hinted at in the comments if you do that.

You'd also want to move any further discussion to the dev list.

-- 
Nick Kew
Mime
View raw message