You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Nick Kew <ni...@webthing.com> on 2007/10/01 03:01:24 UTC
Backslashes in HTTP Headers
Coadvisor has several testcases involving a Content-Type line with
a lot of qualifier tokens. These tokens are quoted strings and
include backslashes. This is going to wrap when I cut&paste:
Content-Type: text/other; charset=ISO-8859-4; attribute=value; q=0.9;
q=9.0000 ; a="quoted text/html"; a="quoted, list=b"; a="quoted \r\n
new line"; a="quoted \r\n\t\r\n new lines"; a="slashed \alpha";
a="slashed \\nnew line"; a="slashed \\r\\ncrlf"; a="slashed \\n\\nnew
lines"; a="slashed \"string"; a-rvlmxgisq=v-r808478;
a-rtbtrjxmwqirv=v-r797440; a-rwsqj=v-r9946045539;
a-rkdrdmk=v-r93968576355\r\n
Our ap_rgetline_core is seeing those quoted \-r-\-n sequences as
newlines and getting hopelessly confused (the outcome is 400
in the case of a request header, 502 from a response).
A simple search of RFC2616 gives:
message-header = field-name ":" [ field-value ]
field-name = token
field-value = *( field-content | LWS )
field-content = <the OCTETs making up the field-value
and consisting of either *TEXT or combinations
of token, separators, and quoted-string>
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
quoted-pair = "\" CHAR
CHAR = <any US-ASCII character (octets 0 - 127)>
from which it appears that the header in the testcase is legitimate
and our parser is screwed.
Anyone?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
Re: Backslashes in HTTP Headers
Posted by Joe Orton <jo...@redhat.com>.
On Mon, Oct 01, 2007 at 02:01:24AM +0100, Nick Kew wrote:
> Coadvisor has several testcases involving a Content-Type line with
> a lot of qualifier tokens. These tokens are quoted strings and
> include backslashes. This is going to wrap when I cut&paste:
>
> Content-Type: text/other; charset=ISO-8859-4; attribute=value; q=0.9;
> q=9.0000 ; a="quoted text/html"; a="quoted, list=b"; a="quoted \r\n
> new line"; a="quoted \r\n\t\r\n new lines"; a="slashed \alpha";
> a="slashed \\nnew line"; a="slashed \\r\\ncrlf"; a="slashed \\n\\nnew
> lines"; a="slashed \"string"; a-rvlmxgisq=v-r808478;
> a-rtbtrjxmwqirv=v-r797440; a-rwsqj=v-r9946045539;
> a-rkdrdmk=v-r93968576355\r\n
>
> Our ap_rgetline_core is seeing those quoted \-r-\-n sequences as
> newlines and getting hopelessly confused (the outcome is 400
> in the case of a request header, 502 from a response).
For exactly what request does the server give a 400, and what error is
given (attach or reference to avoid line-wrapping if necessary)? I
doubt there is any code in the server which will backslash-expand header
values as you describe; certainly ap_rgetline_core doesn't do it.
joe