[Bug 60704] Setting "HttpProtocolOptions Unsafe ..." does not allow Host Header containing "_"

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60704

--- Comment #6 from paolo@adnovum.ch <pa...@adnovum.ch> ---
I have the same behaviour. Even with 
HttpProtocolOptions  Unsafe LenientMethods Allow0.9

requests may still be blocked, and I have the following log-entry:

[Thu Mar 09 11:02:51 2017] [debug] protocol.c(828): [client 10.0.209.5] HTTP
Request Line; Excess whitespace (disallowed by HttpProtocolOptions Strict


I compared the code with httpd/2.4.25 (where the request is not blocked), and
the functions merge_core_server_configs (core.c) do slightly differ:

in 2.2.32:
static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
{
    core_server_config *base = (core_server_config *)basev;
    core_server_config *virt = (core_server_config *)virtv;
    core_server_config *conf;

    conf = (core_server_config *)apr_pmemdup(p, base,
sizeof(core_server_config));

in 2.4.25:
static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
{
    core_server_config *base = (core_server_config *)basev;
    core_server_config *virt = (core_server_config *)virtv;
    core_server_config *conf = (core_server_config *)
                               apr_pmemdup(p, base,
sizeof(core_server_config));

As you can see, in 2.4.25 the 'conf' is taken from 'base' and not from 'virtv'
like in 2.2.32.
I changed the code in 2.2.32. and then the request is not blocked any more.
I have no idea if this is the right solution, because of the other parameters
that are used.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org