Mailing List Archive: spaces in HTTP headers

spaces in HTTP headers

Nov 17, 1995, 3:30 PM

Post #1 of 6 (316 views)

> http://aqui.stllab.ibm.com

They have a system which requests URLs from other servers, their
system adds an extra header to the HTTP headers, e.g. when talking
to xxx.lanl.gov it added

FOO: xxx

note the leading space. Apache created env var "HTTP_ FOO" = "xxx",
and the shell rejected it when trying to do a "exec cmd"

My boss says that Apache should be fixed to not send the " " in the
env var (that'd mean checking incoming HTTP headers against the spec).
I say, slap the wrists of the people at ibm and be done with it.

I've mailed the resource owners to tell them about their spec
violation.

rob

Re: spaces in HTTP headers [ In reply to ]

Nov 17, 1995, 3:54 PM

Post #2 of 6 (310 views)

>
>
>
> > http://aqui.stllab.ibm.com
>
> They have a system which requests URLs from other servers, their
> system adds an extra header to the HTTP headers, e.g. when talking
> to xxx.lanl.gov it added
>
> FOO: xxx
>
> note the leading space. Apache created env var "HTTP_ FOO" = "xxx",
> and the shell rejected it when trying to do a "exec cmd"
>
> My boss says that Apache should be fixed to not send the " " in the
> env var (that'd mean checking incoming HTTP headers against the spec).
> I say, slap the wrists of the people at ibm and be done with it.
>
> I've mailed the resource owners to tell them about their spec
> violation.

Surely the correct thing to do is to reject it as an invalid request.

>
> rob

--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant Fax: +44 (181) 994 6472
and Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd, URL: http://www.algroup.co.uk
London, England.

Re: spaces in HTTP headers [ In reply to ]

fielding at avron

Nov 17, 1995, 4:07 PM

Post #3 of 6 (310 views)

>> http://aqui.stllab.ibm.com
>
> They have a system which requests URLs from other servers, their
> system adds an extra header to the HTTP headers, e.g. when talking
> to xxx.lanl.gov it added
>
> FOO: xxx
>
> note the leading space. Apache created env var "HTTP_ FOO" = "xxx",
> and the shell rejected it when trying to do a "exec cmd"
>
> My boss says that Apache should be fixed to not send the " " in the
> env var (that'd mean checking incoming HTTP headers against the spec).
> I say, slap the wrists of the people at ibm and be done with it.
>
> I've mailed the resource owners to tell them about their spec
> violation.

If it starts with a space, the it isn't a new header (no matter what
it looks like). Instead, it is a continuation of the header field
above it, and must be treated as such in Apache.

.......Roy

Re: spaces in HTTP headers [ In reply to ]

Nov 17, 1995, 4:31 PM

Post #4 of 6 (312 views)

> > FOO: xxx

> If it starts with a space, the it isn't a new header (no matter what
> it looks like). Instead, it is a continuation of the header field
> above it, and must be treated as such in Apache.

This is what these people are sending when asking for "xxx.lanl.gov/test"

===============================
GET /test/ HTTP/1.0
Foo: xxx

===============================

So this can't be a continuation of an earlier HTTP header 'cos there
wasn't one :-)

rob

Re: spaces in HTTP headers [ In reply to ]

brian at organic

Nov 18, 1995, 6:07 PM

Post #5 of 6 (312 views)

On Fri, 17 Nov 1995, Rob Hartill wrote:
> > > FOO: xxx
>
> > If it starts with a space, the it isn't a new header (no matter what
> > it looks like). Instead, it is a continuation of the header field
> > above it, and must be treated as such in Apache.
>
>
> This is what these people are sending when asking for "xxx.lanl.gov/test"
>
> ===============================
> GET /test/ HTTP/1.0
> Foo: xxx
>
> ===============================
>
> So this can't be a continuation of an earlier HTTP header 'cos there
> wasn't one :-)

Regardless, Apache should deal with it - I don't consider it a
showstopper but it would be good since

Accept: text/html
image/gif

Is valid.

Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/

Re: spaces in HTTP headers [ In reply to ]

fielding at avron

Nov 18, 1995, 9:58 PM

Post #6 of 6 (311 views)

> ===============================
> GET /test/ HTTP/1.0
> Foo: xxx
>
> ===============================
>
> So this can't be a continuation of an earlier HTTP header 'cos there
> wasn't one :-)

Argh, I say we should lynch `em.

....Roy