https://bz.apache.org/bugzilla/show_bug.cgi?id=61676
Bug ID: 61676
Summary: Unable to handle unescaped whitespace in URL with
HttpProtocolOptions Unsafe
Product: Apache httpd-2
Version: 2.4.28
Hardware: PC
OS: Linux
Status: NEW
Severity: minor
Priority: P2
Component: All
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
The new option "HttpProtocolOptions Strict" prevents requests with an unescaped
whitespace such as:
GET /Hallo Welt HTTP/1.0
or also
GET /index.php?paramHallo Welt HTTP/1.0
With an error message of: AH03448: HTTP Request Line; Excess whitespace
(disallowed by HttpProtocolOptions Strict
For my understanding, setting "HttpProtocolOptions = Unsafe" should bring back
the old behaviour but it seems like the URL parser is unable to handle the
extra whitespace:
AH03449: HTTP Request Line; Extraneous text found 'HTTP/1.0' (perhaps
whitespace was injected?)
Based on the comment in Bug 60738
https://bz.apache.org/bugzilla/show_bug.cgi?id=60783#c2, the Unsafe flag should
*not* turn of whitespace checking and all and keep with the original policy
error as quoted above. If still allowed with Unsafe, it should be properly
handled by the next layers.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
