You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Brown Chris-CCB034 <Ch...@motorola.com> on 2007/12/21 17:18:44 UTC
[users@httpd] Apache failing on invalid header. Is there a way to allow apache to proceed?
I'm seeing a request come in with a bad http header. This is the tail
end of the message:
00c0 74 2f 76 33 2f 76 33 76 31 2e 78 6d 6c 0d 0a 78 t/v3/v3v
1.xml..x
00d0 2d 75 70 2d 63 61 6c 6c 69 6e 67 2d 6c 69 6e 65 -up-call
ing-line
00e0 2d 69 64 3a 20 31 36 33 30 39 38 31 37 32 33 39 -id: 163
09817239
00f0 0d 0a 50 0e 92 0d 0a 43 6f 6e 74 65 6e 74 2d 54 ..P....C
ontent-T
0100 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e ype: app
lication
This is a portion of the Apache response:
0x0140: 3e3c 626f 6479 3e0a 3c68 313e 4261 6420 ><body>.<h1>Bad.
0x0150: 5265 7175 6573 743c 2f68 313e 0a3c 703e Request</h1>.<p>
0x0160: 596f 7572 2062 726f 7773 6572 2073 656e Your.browser.sen
0x0170: 7420 6120 7265 7175 6573 7420 7468 6174 t.a.request.that
0x0180: 2074 6869 7320 7365 7276 6572 2063 6f75 .this.server.cou
0x0190: 6c64 206e 6f74 2075 6e64 6572 7374 616e ld.not.understan
0x01a0: 642e 3c62 7220 2f3e 0a52 6571 7565 7374 d.<br./>.Request
0x01b0: 2068 6561 6465 7220 6669 656c 6420 6973 .header.field.is
0x01c0: 206d 6973 7369 6e67 2027 3a27 2073 6570 .missing.':'.sep
0x01d0: 6172 6174 6f72 2e3c 6272 202f 3e0a 3c70 arator.<br./>.<p
0x01e0: 7265 3e0a 500e 923c 2f70 7265 3e0a 3c2f re>.P..</pre>.</
0x01f0: 703e 0a3c 2f62 6f64 793e 3c2f 6874 6d6c p>.</body></html
Apache is failing on the P.. header because it doesn't contain the
required ":" format. As must as we would like to, suffice to say we
cannot change the behavior of the submitted request. What options do I
have within Apache to allow this bad request to proceed? Is there a way
to turn off Apache's strict header checking? Or am I looking at making
a custom modification to the Apache source code for this specific case?
Help is greatly appreciated.
Thanks,
Chris
RE: [users@httpd] Apache failing on invalid header. Is there a way to allow apache to proceed?
Posted by Brown Chris-CCB034 <Ch...@motorola.com>.
Also, we're seeing Apache allow the GET request to proceed, but the
failed response below is returned on the POST request. Why is it not
failing on the GET request, even though the same bad header format is
present?
Thanks,
Chris
________________________________
From: Brown Chris-CCB034
Sent: Friday, December 21, 2007 10:19 AM
To: users@httpd.apache.org
Subject: [users@httpd] Apache failing on invalid header. Is there a way
to allow apache to proceed?
I'm seeing a request come in with a bad http header. This is the tail
end of the message:
00c0 74 2f 76 33 2f 76 33 76 31 2e 78 6d 6c 0d 0a 78 t/v3/v3v
1.xml..x
00d0 2d 75 70 2d 63 61 6c 6c 69 6e 67 2d 6c 69 6e 65 -up-call
ing-line
00e0 2d 69 64 3a 20 31 36 33 30 39 38 31 37 32 33 39 -id: 163
09817239
00f0 0d 0a 50 0e 92 0d 0a 43 6f 6e 74 65 6e 74 2d 54 ..P....C
ontent-T
0100 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e ype: app
lication
This is a portion of the Apache response:
0x0140: 3e3c 626f 6479 3e0a 3c68 313e 4261 6420 ><body>.<h1>Bad.
0x0150: 5265 7175 6573 743c 2f68 313e 0a3c 703e Request</h1>.<p>
0x0160: 596f 7572 2062 726f 7773 6572 2073 656e Your.browser.sen
0x0170: 7420 6120 7265 7175 6573 7420 7468 6174 t.a.request.that
0x0180: 2074 6869 7320 7365 7276 6572 2063 6f75 .this.server.cou
0x0190: 6c64 206e 6f74 2075 6e64 6572 7374 616e ld.not.understan
0x01a0: 642e 3c62 7220 2f3e 0a52 6571 7565 7374 d.<br./>.Request
0x01b0: 2068 6561 6465 7220 6669 656c 6420 6973 .header.field.is
0x01c0: 206d 6973 7369 6e67 2027 3a27 2073 6570 .missing.':'.sep
0x01d0: 6172 6174 6f72 2e3c 6272 202f 3e0a 3c70 arator.<br./>.<p
0x01e0: 7265 3e0a 500e 923c 2f70 7265 3e0a 3c2f re>.P..</pre>.</
0x01f0: 703e 0a3c 2f62 6f64 793e 3c2f 6874 6d6c p>.</body></html
Apache is failing on the P.. header because it doesn't contain the
required ":" format. As must as we would like to, suffice to say we
cannot change the behavior of the submitted request. What options do I
have within Apache to allow this bad request to proceed? Is there a way
to turn off Apache's strict header checking? Or am I looking at making
a custom modification to the Apache source code for this specific case?
Help is greatly appreciated.
Thanks,
Chris
RE: [users@httpd] Apache failing on invalid header. Is there a way to allow apache to proceed?
Posted by Brown Chris-CCB034 <Ch...@motorola.com>.
Nick,
Thanks for the quick response. That's what I was afraid of. This is a
mobile phone submitting the request. It's definitely supposed to be an
HTTP request, it's just this particular phone has a bug.
What about why Apache is only failing on the POST request? Is there a
difference in the way Apache processes GET and POST requests?
I'm using Apache v2.2.4. I've found the location in server/protocol.c
where it's returning a bad request with the error message (line 766).
Is this code hit on the GET request too? If so shouldn't I see this
badly formed header fail?
So I'm stuck making a custom modification here to allow this badly
formed request to proceed?
Thanks,
Chris
-----Original Message-----
From: Nick Kew [mailto:nick@webthing.com]
Sent: Friday, December 21, 2007 10:25 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Apache failing on invalid header. Is there a
way to allow apache to proceed?
On Fri, 21 Dec 2007 11:18:44 -0500
"Brown Chris-CCB034" <Ch...@motorola.com> wrote:
> I'm seeing a request come in with a bad http header.
Are you sure it's supposed to be HTTP?
As opposed to, for example, HTTP encapsulated in something?
> Apache is failing on the P.. header because it doesn't contain the
> required ":" format.
That's clearly not HTTP.
> What options do
> I have within Apache to allow this bad request to proceed? Is there
>a way to turn off Apache's strict header checking? Or am I looking at
>making a custom modification to the Apache source code for this
>specific case?
That'll need source hacking. If we allow malformed requests like that,
we open up a whole new playground to the script kiddies.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache failing on invalid header. Is there a way
to allow apache to proceed?
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 21 Dec 2007 11:18:44 -0500
"Brown Chris-CCB034" <Ch...@motorola.com> wrote:
> I'm seeing a request come in with a bad http header.
Are you sure it's supposed to be HTTP?
As opposed to, for example, HTTP encapsulated in something?
> Apache is failing on the P.. header because it doesn't contain the
> required ":" format.
That's clearly not HTTP.
> What options do
> I have within Apache to allow this bad request to proceed? Is there
> a way to turn off Apache's strict header checking? Or am I looking
> at making a custom modification to the Apache source code for this
> specific case?
That'll need source hacking. If we allow malformed requests like that,
we open up a whole new playground to the script kiddies.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org