On Fri, Jan 6, 2017 at 12:06 PM, Jacob Champion <[email protected]> wrote: >> Modified: >> httpd/httpd/trunk/modules/http/http_filters.c >> >> Modified: httpd/httpd/trunk/modules/http/http_filters.c >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/http_filters.c?rev=1777460&r1=1777459&r2=1777460&view=diff >> >> ============================================================================== >> [...] >> @@ -683,8 +726,10 @@ static APR_INLINE int check_headers(requ >> >> ctx.r = r; >> ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); >> - return apr_table_do(check_header, &ctx, r->headers_out, NULL) && >> - apr_table_do(check_header, &ctx, r->err_headers_out, NULL); >> + ctx.unfold = (!r->content_type || strncmp(r->content_type, >> + "message/http", 12)); > > > I don't think this unfolding exception should exist, at least not in this > part of the code. My reading of 7230 is not that folded headers are allowed > when the Content-Type is message/http, but rather that folded headers are > allowed *inside* the message/http payload body: > > This specification deprecates such > line folding except within the message/http media type > (Section 8.3.1). A sender MUST NOT generate a message that includes > line folding (i.e., that has any field-value that contains a match to > the obs-fold rule) unless the message is intended for packaging > within the message/http media type. > > IOW, the message/http payload body is allowed to be line-length limited, I > assume because it's a message/* media type. But that doesn't apply to the > HTTP-level headers.
I think you're right. -- Eric Covener [email protected]
