On Tue, 2015-04-14 at 11:48 +0400, George Chelidze wrote: > It looks reasonable to me as well, however there are two things: > > 1. according to http://tools.ietf.org/html/rfc7230#section-3.2.4, we have: > > No whitespace is allowed between the header field-name and colon. In > the past, differences in the handling of such whitespace have led to > security vulnerabilities in request routing and response handling. A > server MUST reject any received request message that contains > whitespace between a header field-name and colon with a response code > of 400 (Bad Request). A proxy MUST remove any such whitespace from a > response message before forwarding the message downstream.
Damn, I'm getting behind with my RFCs. Yes, that seems to support your position, though it's not entirely clear whether the server or proxy rules should apply (the CGI script is the origin server and never receives the whitespace, while HTTPD's role is as a proxy between the HTTP and CGI protocols). > 2. according to the http://httpd.apache.org/docs/2.4/env.html, the > header should be dropped: No, that's talking about invalid characters within a header. Not the same as trailing whitespace being stripped. > I'll try to explain what seems to be an issue for me: That seems to me pretty clearly a defect in GGSN, whose header it is that's affected. > X-MSISDN : 123456 > > GGSN will ignore this "header" as it's not a valid HTTP header Yet it MUST return 400 (if we accept that rule applies to HTTPD then it applies equally to $other-agent), and is creating a defect for itself. Whoops! Have you test-driven any other web server or proxy software with this? -- Nick Kew
