On 01/05/2017 04:31 AM, [email protected] wrote:
Author: ylavic
Date: Thu Jan 5 12:31:48 2017
New Revision: 1777460
URL: http://svn.apache.org/viewvc?rev=1777460&view=rev
Log:
http: allow folding in check_headers(), still compliant with RFC 7230 (3.2.4).
Modified:
httpd/httpd/trunk/modules/http/http_filters.c
Modified: httpd/httpd/trunk/modules/http/http_filters.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/http_filters.c?rev=1777460&r1=1777459&r2=1777460&view=diff
==============================================================================
[...]
@@ -683,8 +726,10 @@ static APR_INLINE int check_headers(requ
ctx.r = r;
ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE);
- return apr_table_do(check_header, &ctx, r->headers_out, NULL) &&
- apr_table_do(check_header, &ctx, r->err_headers_out, NULL);
+ ctx.unfold = (!r->content_type || strncmp(r->content_type,
+ "message/http", 12));
I don't think this unfolding exception should exist, at least not in
this part of the code. My reading of 7230 is not that folded headers are
allowed when the Content-Type is message/http, but rather that folded
headers are allowed *inside* the message/http payload body:
This specification deprecates such
line folding except within the message/http media type
(Section 8.3.1). A sender MUST NOT generate a message that includes
line folding (i.e., that has any field-value that contains a match to
the obs-fold rule) unless the message is intended for packaging
within the message/http media type.
IOW, the message/http payload body is allowed to be line-length limited,
I assume because it's a message/* media type. But that doesn't apply to
the HTTP-level headers.
--Jacob
