https://bz.apache.org/bugzilla/show_bug.cgi?id=62440
Bug ID: 62440
Summary: When exporting request headers to HTTP_* environment
variables, drop TO DRASTICLY variables
Product: Apache httpd-2
Version: 2.4.33
Hardware: PC
OS: Linux
Status: NEW
Severity: regression
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
apache implement http header to HTTP_* variable, of CGI RFC:
https://tools.ietf.org/html/rfc3875#section-4.1.18
in apache 2.3.11 you have changed drasticly the generation of http header in
HTTP_ variable.
https://github.com/apache/httpd/commit/c291b461180994410593a8fc7541c4ef12e3b634
i think are to drastic in regard to http standard.
https://stackoverflow.com/questions/47687379/what-characters-are-allowed-in-http-header-values?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa
i have many header sended to application in php with mod_php sapi, that search
in HTTP_* variables this information.
the http header name are name like that AA_BBBBBBBBB, and with this code they
are silently drop... because they use "_" in place of the only separator
accepted in the code "-"...
in the documentation they explain a solution to circonvent this but only on
field content not in field name...
http://httpd.apache.org/docs/current/en/env.html#examples
in http RFC 7230 they clarify what char can be used :
https://tools.ietf.org/html/rfc7230#section-3.2.6
https://tools.ietf.org/html/rfc7230#section-3.2
field-name = token
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
; any VCHAR, except delimiters
the char "_" are autorized in field name, wy drop this char and transforme "-"
in "_" ?
wy not simply leave it as is ?
why not change all charactere autorized with "_" in place of remove completely
the variable ?
in cgi RFC they say :
The server MUST, if necessary, change the representation of the data (for
example, the
character set) to be appropriate for a CGI meta-variable.
or make possible to overide this when necessery ?!
in server/util_script.c :
while ((c = *w++) != 0) {
- if (!apr_isalnum(c)) {
+ if (apr_isalnum(c)) {
+ *cp++ = apr_toupper(c);
+ }
+ else if (c == '-') {
*cp++ = '_';
}
else {
- *cp++ = apr_toupper(c);
+ return NULL;
}
}
why not extend
else if (c == '-') {
to other character like that :
if (strchr("!#$%&'*+-.^`|~",c) != NULL) {
and add
else if (c == '_') {
*cp++ = c;
}
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
