illegible protocol args to be rejected, irrespective of the strict toggle as
we expect this to occur with a garbage raw SP embedded in the request URI.
Simplifies the code using the protocol 0.9 sentinal to set up an http/1.0
error response.
String duplication of r1773158 is uninteresting, httpd-2.x has a const protocol
member.
Submitted by: rpluem, wrowe
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1773159 13f79535-47bb-0310-9956-ffa450edef68
line, but in the strict mode prioritize excessive space testing over bad
space testing (which is captured later) and make both more efficient
(at this test ll[0] is already whitespace or \0 char). Also correct a comment.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1770867 13f79535-47bb-0310-9956-ffa450edef68
and inefficient application at that, added ap_scan_vchar_obstext()
to accomplish a similar purpose.
Dropped HttpProtocolOptions StrictURL option, this will be better
handled in the future with a specific directive and perhaps multiple
levels of scrutiny, use ap_scan_vchar_obstext() to simply ensure there
are no control characters or whitespace within the URI.
Changed the scanning of the response header table by check_headers()
to follow the same rulesets as reading request headers. Disallow any
CTL character within a response header value, and any CTL or whitespace
in response header field name, even in strict mode.
Apply HttpProtocolOptions Strict to chunk header parsing, invalid
whitespace is invalid, line termination must follow CRLF convention.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1764961 13f79535-47bb-0310-9956-ffa450edef68
created by overloading 'int fold' (1 or 0) as 'int flags', with the same
value 1 for AP_GETLINE_FOLD (which httpd doesn't use), and a new value
2 for AP_GETLINE_CRLF
Enforce CRLF when HttpProtocolOptions Strict is in force.
Correctly introduces a new t/TEST fail.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758304 13f79535-47bb-0310-9956-ffa450edef68
based on the fact that bad whitespace shall not be permitted
or corrected in any operating mode, while preserving the
ability to extract bad method/uri/proto for later reporting
and diagnostics.
This change causes badwhitespace in the request line or any
request field line to always fail, and not honor the setting
of the HttpProtocolOptions Unsafe option. Mult SP characters
or trailing SP characters in the request line are still
permitted in Unsafe mode.
Adjusted several error message emits to match these changes.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758263 13f79535-47bb-0310-9956-ffa450edef68
This choice is unanimous, although StrictURI (a different RFC) still hasn't
found absolute concensus.
An ap_mmn bump will follow (major, this removes a struct elt)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758226 13f79535-47bb-0310-9956-ffa450edef68
Drop the second reporting of HEAD over HTTP/0.9 requests, we short-circuit
this early now in read_request_line() when presented anything other than
the sole "GET" method permitted by spec.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757921 13f79535-47bb-0310-9956-ffa450edef68
level, no louder. This patch intentionally dodges the Limit* constrained tests
since administrators may shoot themselves in the foot, or be confronted with
impossibly long cookie values, etc.
Adjust the documentation to match.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757920 13f79535-47bb-0310-9956-ffa450edef68
to the default behavior, after discussion with fielding et al about the
purpose of section 3.5. Update the documentation to clarify this.
This patch removes whitespace considerations from the Strict|Unsafe toggle
and consolidates them all in the StrictWhitespace|UnsafeWhitespace toggle.
Added a bunch of logic comments to read_request_line parsing.
Dropped the badwhitespace list for an all-or-nothing toggle in rrl.
Leading space before the method is optimized to be evaluated only once.
Toggled the request from HTTP/0.9 to HTTP/1.0 for more BAD_REQUEST cases.
Moved s/[\n\v\f\r]/ / cleanup logic earlier in the cycle, to operate on
each individual line read, and catch bad whitespace errors earlier.
This changes the obs-fold to more efficiently condense whitespace and
forces concatinatination with a single SP, always. Overrides are not
necessary since obs-fold is clearly deprecated.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757589 13f79535-47bb-0310-9956-ffa450edef68
if we identified any other parsing errors and handle all 0.9 request
errors as 400 BAD REQUEST, presuming HTTP/1.0 to deliver the error details.
Do not report 0.9 issues as 505 INVALID PROTOCOL because the client apparently
specified no protocol, and 505 post-dates the simple HTTP request mechanism.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1757065 13f79535-47bb-0310-9956-ffa450edef68
HttpProtocolOptions Unsafe StrictWhitespace
I have elected not to preserve any significance to excess whitespace in the
now-deprecated obs-fold code path, that's certainly open for discussion.
This can be reviewed by tweaking t/conf/extra.conf to switch Strict to Unsafe.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1756847 13f79535-47bb-0310-9956-ffa450edef68
http protocol tag, url and method appropriately, and attempting
to extract values even in the presence of unusual whitespace in
keeping with section 3.5, prior to responding with whatever
error reply is needed. Conforms to RFC7230 in all respects,
the section 3.5 optional behavior can be disabled by the user
with a new HttpProtocolOptions StrictWhitespace flag. In all
cases, the_request is regenerated from the parsed components
with exactly two space characters.
Shift sf's 'strict' method check from the Strict behavior because
it violates forward proxy logic, adding a new RegisteredMethods
flag, as it will certainly be useful to some.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1756729 13f79535-47bb-0310-9956-ffa450edef68
to EnforceHTTPProtocol, and invert the default behavior
to strictly observe RFC 7230 unless otherwise configured.
And Document This.
The relaxation option is renamed 'Unsafe'. 'Strict' is no
longer case sensitive. 'min=0.9|1.0' is now the verbose
'Allow0.9' or 'Require1.0' case-insenstive grammer. The
exclusivity tests have been modified to detect conflicts.
The 'strict,log' option failed to enforce strict conformance,
and has been removed. Unsafe, informational logging is possible
in any loadable module, after the request data is unsafely
accepted.
This triggers a group of failures in t/apache/headers.t as
expected since those patterns violated RFC 7230 section 3.2.4.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1756540 13f79535-47bb-0310-9956-ffa450edef68
and ensure the field header name is truncated to a sane log width.
Stop reflecting irrelevant data to the request error notes, particularly
for abusive and malformed traffic the non-technical consumer of a user-agent
has no control over.
Simply take note where the administrator-configured limits have been exceeded,
that administrator can find details in the error log if desired.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1755744 13f79535-47bb-0310-9956-ffa450edef68
for abusive and malformed traffic the non-technical consumer of a user-agent
has no control over.
Simply take note where the administrator-configured limits have been exceeded,
that administrator can find details in the error log if desired.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1755264 13f79535-47bb-0310-9956-ffa450edef68
of killing trailing whitespace to the purpose-agnostic read logic.
Whitespace before or after an obs-fold, and before or after a field value
have no semantic purpose at all. Because we are building a buffer for all
folded values, reducing the size of the newly allocated buffer is always
to our advantage.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1755233 13f79535-47bb-0310-9956-ffa450edef68
folded flag was a no-op, unused once we added continue; logic.
Fix these as initially attempted in r1755114.
Add some comments to make this code slightly more legible to the reviewer.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1755125 13f79535-47bb-0310-9956-ffa450edef68
as with r1755098, but this time ensure the previous header processing logic
ensures there was a previous header as identified by jchampion.
This patch restructures the loop for legibility with a loop continuation,
allowing us to flatten all of this hard-to-follow code. The subsequent
patch will be a whitespace-only change for formatting.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1755123 13f79535-47bb-0310-9956-ffa450edef68
This patch restructures the loop for legibility with a loop continuation,
allowing us to flatten all of this hard-to-follow code. The subsequent
patch will be a whitespace-only change for formatting.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1755098 13f79535-47bb-0310-9956-ffa450edef68
more efficient pass through the header text; rather than reparsing
the strings over and over under the HTTP_CONFORMANCE_STRICT fules.
Improve logic and legibility by eliminating multiple repetitive tests
of the STRICT flag, and simply reorder 'classic' behavior first and
this new parser second to simplify the diff. Because of the whitespace
change (which I had wished to dodge), reading this --ignore-all-space
is a whole lot easier. Particularly against 2.4.x branch, which is now
identical in the 'classic' logic flow. Both of which I'll share with dev@
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1754556 13f79535-47bb-0310-9956-ffa450edef68
