You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2017/03/14 10:36:59 UTC
[Bug 60863] New: Apache proxy 2.4.25 can disable header check
(Set-Cookie)
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
Bug ID: 60863
Summary: Apache proxy 2.4.25 can disable header check
(Set-Cookie)
Product: Apache httpd-2
Version: 2.4.25
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
Assignee: bugs@httpd.apache.org
Reporter: peli@onera.fr
Target Milestone: ---
Using Apache proxy.
Since Apache Proxy 2.4.25 control Headers some sites became unreachable due to
incorrect Cookie syntax.
I have to return to previous 2.4.20
The error is related to \x01 invalid character :
AH02430: Response header 'Set-Cookie' value of '___utmvaXEuDsBI=UxE\x01hXDj;
path=/; Max-Age=900' contains invalid characters, aborting request
The following url (most of them operated by incapdns.net return this error)
http://www.cision.com
23gwg.x.incapdns.net.
107.154.115.114
http://academie-air-espace.com
185.11.125.199
149.126.77.65
http://www.defense.gouv.fr
yookd.x.incapdns.net.
107.154.115.47
http://www.bizjournals.com
ddc7y.x.incapdns.net.
107.154.115.27
http://correlatedsolutions.com
107.154.105.8
107.154.106.8
The Directive
ProxyBadHeader Ignore
do not solve theses issues.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy 2.4.25 can disable header check
(Set-Cookie)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
Thomas Jarosch <th...@intra2net.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |thomas.jarosch@intra2net.co
| |m
--- Comment #4 from Thomas Jarosch <th...@intra2net.com> ---
after upgrading to httpd 2.4.25, I get the same "500 Internal server error".
The website pollin.de produces this error log:
Response header 'Set-Cookie' value of '___utmvaXIucook=DjJx01cqlU; path=/;
Max-Age=900' contains invalid characters
-> I'll try the suggested "HttpProtocolOptions unsafe" workaround at the
beginning of next week.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy cannot ignore response header validation
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
--- Comment #7 from Christian PĂ©lissier <pe...@onera.fr> ---
Here are the solution for 2.4.25 and later
# Sites with SOH inside the cookie (incapsula.com)
# www.cision.com, www.bizjournals.com, correlatedsolutions.com
# academie-air-espace.com, www.defense.gouv.fr
# Suppresion du caractere SOH \001 ou \x01 invalide dans un cookie
Header edit Set-Cookie ___utmv(.*)=(.*)\001([^;]*;)(.*) ___utmv$1=$2$3;$4
# Sites avec headers syntaxiquement incorrects comme :
# http://technopress.kaist.ac.kr/
Header unset 'Pragma :'
Header unset 'P3P :'
# http://www.anrt.asso.fr/
Header unset 'Expires :'
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy 2.4.25 can disable header check
(Set-Cookie)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
--- Comment #2 from Luca Toscano <to...@gmail.com> ---
The documentation talks about "Request" but I quickly checked the code (not
authoritative answer to don't quote me on this) and the new checks seems to be
enforced for the response too.
Where does the header come from (curiosity)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy cannot ignore response header validation
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Apache proxy 2.4.25 can |Apache proxy cannot ignore
|disable header check |response header validation
|(Set-Cookie) |
Severity|normal |enhancement
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy 2.4.25 can disable header check
(Set-Cookie)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
--- Comment #3 from Luca Toscano <to...@gmail.com> ---
Hi Christian, any update?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy cannot ignore response header validation
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
--- Comment #6 from Eric Covener <co...@gmail.com> ---
I renamed and reclassified, Some way to strip/replace would be nice, I am
unsure if we want to provide an option to pass them through. Invalid is
invalid.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy 2.4.25 can disable header check
(Set-Cookie)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
--- Comment #1 from Luca Toscano <to...@gmail.com> ---
Hi Christian,
this is probably due to
https://httpd.apache.org/docs/current/mod/core.html#httpprotocoloptions, can
you try to set "HttpProtocolOptions Unsafe" ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy 2.4.25 can disable header check
(Set-Cookie)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
--- Comment #5 from Bjoern Voigt <bj...@arcor.de> ---
"HttpProtocolOptions unsafe" did not help in my case.
Tested site: http://www.egyptindependent.com/
Apache version: 2.4.49
Environment: openSUSE Tumbleweed 20180318 x86_64
The error message is
[Wed Mar 21 12:56:12.843109 2018] [http:error] [pid 16291] [client
127.0.0.1:54552] AH02430: Response header 'Set-Cookie' value of
'___utmvazVukktoB=Qhz\x01CTqM; path=/; Max-Age=900' contains invalid
characters, aborting request
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 60863] Apache proxy 2.4.25 can disable header check
(Set-Cookie)
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60863
Bjoern Voigt <bj...@arcor.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bjoernv@arcor.de
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org