kenballus opened a new issue, #12082:
URL: https://github.com/apache/trafficserver/issues/12082
RFC 9110 states that header names must consist only of `tchar`s, which are
defined as follows:
```
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
; any VCHAR, except delimiters
```
`@` is not in this list, but ATS accepts it within header names, as long as
it is not the first character.
To test this, send ATS a request with `@` in a header name, and observe that
it forwards the invalid header without modification.
For example, sending the following request
```
GET / HTTP/1.1\r\n
Host: whatever\r\n
To@st: test\r\n
\r\n
```
elicits the following response:
```
GET / HTTP/1.1\r\n
Host: echo\r\n
To@st: test\r\n
Client-ip: 172.18.0.1\r\n
X-Forwarded-For: 172.18.0.1\r\n
Via: http/1.1 traffic_server[503cce9c-f4c1-4ee9-bd19-63c6ae774944]
(ApacheTrafficServer/10.1.0)\r\n
\r\n
```
The correct behavior is to respond 400, since `@` is not a valid character
in this context.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
