Am 10.03.20 um 00:55 schrieb Tim Duesterhus:
> This patch hardens the verification of the HTTP/1.x version line
> (i.e. the first line within an HTTP/1.x request) to verify that
> the protocol name within the version actually reads "HTTP".
> Previously protocols that superficially resembled the wire-format
> of HTTP/1.x and having a 4-letter acronym as the protocol name, such
> as RTSP would pass this check.
> This patch fixes GitHub issue #540, it must be backported to all
> supported versions. The legacy, non-HTX parser is affected as well,
> a fix must be created for it as well.

Digging deeper I find commit 63d692c03721d21b6469a97ce7c2e91714fb9408
"MEDIUM: http: allows 'R' and 'S' in the protocol alphabet" from
Thierry, introduced in 1.6-dev2 which specifically added support for
RTSP (completely undocumented, though).

- If RTSP support is desired then it should clearly be documented.
- If not then my patch should be updated to remove the "version token"
flag from 'R' and 'S' in addition to verifying that the 4 characters are
'HTTP' and not 'HHHH' or whatever. The commit message must also be
updated, because XXXX does not pass in any case.

Best regards
Tim Düsterhus

Reply via email to