You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/02/24 13:11:43 UTC
DO NOT REPLY [Bug 44477] New: - Apache accepts lowercase input
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<https://issues.apache.org/bugzilla/show_bug.cgi?id=44477>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44477
Summary: Apache accepts lowercase input
Product: Apache httpd-2
Version: 2.2.8
Platform: PC
OS/Version: other
Status: NEW
Keywords: RFC
Severity: minor
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: dav7@dav7.net
[Note that the case (ie UPPER- or lowercase) of text in "double quotes" should
be paid attention to in this ticket.]
Apache's directory redirection engine accepts lowercase input.
To reproduce behavior (confirmed by one other person):
#1. Create the folder "/foo" (or whatever, the directory name doesn't matter) on
any server.
#2. Telnet or use "nc" to connect to your server. Be sure to specify port 80.
#3. Send "get /foo" and Apache will return the standard 301 "this is located at
/foo/" (note the trailing slash).
#4. Now send "get /foo/" and notice how Apache sends a 501 - "Not Implemented."
#5. Finally, send "GET /foo/" and you will recieve the correct response.
To expound/recap/emphasize, the bug appears in #3, where Apache returns 301 -
"Moved Permanently" after a lowercase command was sent, instead of returning
501, which it should to be standards conformant.
Note that Apache will send a 501 if you send "get /thisdirdoesntexist", where
'thisdirdoesntexist' is a directory on the server that, well, doesn't exist.
This has only been tested on my system, and not tested elsewhere.
-dav7
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 44477] - Apache accepts lowercase input
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<https://issues.apache.org/bugzilla/show_bug.cgi?id=44477>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
https://issues.apache.org/bugzilla/show_bug.cgi?id=44477
slive@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution| |INVALID
Status|NEW |RESOLVED
------- Additional Comments From slive@apache.org 2008-02-24 13:48 -------
What standard exactly is being violated here?
Some of your assumptions are wrong. When apache sees "get /foo" it treats it
exactly like "BAR /foo". In other words, it treats it as an unknown method
acting on an improperly-canonicalized directory. It is not doing a
case-insensitive match on GET.
So what is happening is that apache ignores the method entirely when it receives
a request for an improperly-canonicalized directory and simply sends the
redirect. In the case of "BAR /foo", apache doesn't even try to determine
whether the resource /foo will actually deal with the method BAR. Trying to
check this would add considerable complexity for very little gain.
And by the way, "get /foo" and even "GET /foo/" are not correct requests in any
recent version of http. If you are testing protocol compliance, you should start
with a reasonable request.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org