You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Gregg Smith <gl...@gknw.net> on 2019/02/18 22:55:36 UTC

Regression?

When setting a header it used to set the header case-sensitive as 
configured. Now with 2.4.38 it sets in all lower case. Regression?

Header always set X-Xss-Protection "1; mode=block"
Result;
2.4.37: X-Xss-Protection: 1; mode=block
2.4.38: x-xss-protection: 1; mode=block

If I'm reading the RFC correctly, sensitivity doesn't matter when 
parsing the header but the 2.4 docs show it outputting as configured as 
2.4 has been prior to .38.

Cheers

G

Re: Regression?

Posted by Stefan Eissing <st...@greenbytes.de>.


> Am 18.02.2019 um 23:55 schrieb Gregg Smith <gl...@gknw.net>:
> 
> When setting a header it used to set the header case-sensitive as configured. Now with 2.4.38 it sets in all lower case. Regression?
> 
> Header always set X-Xss-Protection "1; mode=block"
> Result;
> 2.4.37: X-Xss-Protection: 1; mode=block
> 2.4.38: x-xss-protection: 1; mode=block

You are not using a HTTP/2 client by any chance?

> If I'm reading the RFC correctly, sensitivity doesn't matter when parsing the header but the 2.4 docs show it outputting as configured as 2.4 has been prior to .38.
> 
> Cheers
> 
> G

Re: Regression?

Posted by Marion & Christophe JAILLET <ch...@wanadoo.fr>.

Le 18/02/2019 à 23:55, Gregg Smith a écrit :
> When setting a header it used to set the header case-sensitive as 
> configured. Now with 2.4.38 it sets in all lower case. Regression?
>
> Header always set X-Xss-Protection "1; mode=block"
> Result;
> 2.4.37: X-Xss-Protection: 1; mode=block
> 2.4.38: x-xss-protection: 1; mode=block
>
> If I'm reading the RFC correctly, sensitivity doesn't matter when 
> parsing the header but the 2.4 docs show it outputting as configured 
> as 2.4 has been prior to .38.
>
> Cheers
>
> G
>
Hi,

Everything looks fine to me.
I'm currently working on extending headers.t in order to test things 
other than ('set', 'append', 'add', 'unset');

If I add a specific test for 'set', with 2.4.39(dev), I get the 
following log:

Header received n°0:
   header:   X-Xss-Protection
   expected: 1; mode=block
   received: 1; mode=block

Response received is:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 19 Feb 2019 05:28:56 GMT
Accept-Ranges: bytes
ETag: "0-52169385a8a8a"
Server: Apache/2.4.39-dev (Unix) OpenSSL/1.1.1
Vary: In-If1
Content-Length: 0
Content-Type: text/html
Last-Modified: Tue, 06 Oct 2015 05:51:24 GMT
Client-Date: Tue, 19 Feb 2019 05:28:56 GMT
Client-Peer: 127.0.0.1:8529
Client-Response-Num: 1
DMMATCH1: 1
X-Xss-Protection: 1; mode=block

ok 372

So, the case looks good to me.


If it helps, I can provide the updated headers.t as-is.
It still needs more cases (and probably some perl syntax clean-up ).

I also plan to update the doc, at least about the 'echo' command.
Doc states that in 'echo' command,  'header' MAY be a regular 
expression. In fact it IS ALWAYS considered as a regex and "header echo 
x" echoes everything that has a 'x'. Should you want only 'x', 
apparently you need something like "header echo ^x$".


What do you mean by "the 2.4 docs show it outputting as configured as 
2.4 has been prior to .38"?

CJ