On Fri, Sep 13, 2013 at 10:54:35AM -0400, James Card wrote: > So this confirms what you are saying (see below). Without haproxy in a non-LB > environment this works so apparently tomcat on the target openAM server is > more > lenient. However when I checked the BNF grammar for HTTP headers it doesn't > seem to allow /r/r/n. It doesn't explicitely disallow it but the grammar > seems clear > CRLF is specifically defined as /r/n.
It's clearer here : http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-23#section-3.2 header-field = field-name ":" OWS field-value OWS field-name = token field-value = *( field-content / obs-fold ) field-content = *( HTAB / SP / VCHAR / obs-text ) obs-fold = CRLF ( SP / HTAB ) ; obsolete line folding ; see Section 3.2.4 Then : 3.2.6. Field value components Many HTTP header field values consist of words (token or quoted- string) separated by whitespace or special characters. These special characters MUST be in a quoted string to be used within a parameter value (as defined in Section 4). word = token / quoted-string token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA ; any VCHAR, except special special = "(" / ")" / "<" / ">" / "@" / "," / ";" / ":" / "\" / DQUOTE / "/" / "[" / "]" / "?" / "=" / "{" / "}" A string of text is parsed as a single word if it is quoted using double-quote marks. quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text obs-text = %x80-FF And VCHAR is any visible US-ASCII char (which does not include CR alone). The CR character alone must absolutely not be accepted, it would be far too dangerous because some implementations might consider it as the same as a line feed (think for example about a dos/windows based client which uses old functions which delimit lines on CR). You must absolutely fix the server-side bug here. BTW, if the \r below were accepted, then they would be part of the value : > 00092 Accept: text/xml\r\r\n > 00111 Content-Type: text/xml; charset=UTF-8\r\r\n So as you can see it would mean the the Accept field would be "text/xml\r" for example. Regards, Willy
