Either way, this has been filed/tracked as https://github.com/eclipse/jetty.project/issues/1333
Joakim Erdfelt / [email protected] On Wed, Feb 15, 2017 at 10:35 AM, Joakim Erdfelt <[email protected]> wrote: > The "message/http" content-type is typically only seen in the response > body content to a TRACE method (which is unsupported by Jetty for security > reasons). > > eg: > > TRACE http://www.company.com/ HTTP/1.1 > Host: www.company.com > Connection: Close > (blank line) > > HTTP/1.1 200 OK > Transfer-Encoding: chunked > Date: Wed, 15 Feb 2017 09:44:21 GMT > Content-Type: message/http > Connection: close > Server: ImpressiveServer/1.2.3.4 (Unix) > Connection: close > Via: 1.1 bogusproxy > > 9d > TRACE / HTTP/1.1 > Connection: keep-alive > Host: www.company.com > Via: 1.1 bogusproxy > X-Foo: Value1, > Value2, > Value3 > X-Forwarded-For: 111.69.185.59, 111.69.5.234 > > 0 > > > It was removed from the spec specifically because it causes security > issues. (header injection) > Note: Internet Explorer, Chrome, Firefox, and most proxies do not support > header folding anymore. > > What are you trying to do is going to be increasingly more difficult as > time goes on (not only will Jetty reject it, but so must http proxies and > the like) > > The spec is pretty clear https://tools.ietf.org/html/rfc7230#section-3.2.4 > > Historically, HTTP header field values could be extended over > multiple lines by preceding each extra line with at least one space > or horizontal tab (obs-fold). This specification deprecates such > line folding except within the message/http media type > (Section 8.3.1 <https://tools.ietf.org/html/rfc7230#section-8.3.1>). A > sender MUST NOT generate a message that includes > line folding (i.e., that has any field-value that contains a match to > the obs-fold rule) unless the message is intended for packaging > within the message/http media type. > > > Your clients MUST NOT send folded http headers. > It is highly unlikely that Jetty will reintroduce header folding. > You'll have to make a very good (security minded) case for it. > > > Joakim Erdfelt / [email protected] > > On Wed, Feb 15, 2017 at 10:13 AM, Lothar Kimmeringer <[email protected]> > wrote: > >> Hi, >> >> I switched from 9.2 to 9.3 and two dozens of testcases now fail due >> to the fact that they create HTTP-requests containing folded HTTP- >> request-headers. I'm aware of Bug 444222 where it's mentioned that >> Jetty 9.3 will follow RFC 7230 more strictly so I know why I now >> get HTTP 400 responses. >> >> The RFC allows to ways of reacting to folded HTTP-headers: >> >> | A server that receives an obs-fold in a request message that is not >> | within a message/http container MUST either reject the message by >> | sending a 400 (Bad Request), preferably with a representation >> | explaining that obsolete line folding is unacceptable, or replace >> | each received obs-fold with one or more SP octets prior to >> | interpreting the field value or forwarding the message downstream. >> >> Since we use Jetty as HTTP-server for AS2, WebService- and RESTful- >> Service data exchanges on a couple thousand distinct installations >> where we have absolutely no control over the other side sending in >> these requests, the default-behavior will definetly break production >> EDI setups. So I'm forced to use option 2 of the RFC. >> >> How can I set up Jetty to replace line-breaks to spaces in order >> to keep existing data exchanges running with the new version? >> >> >> Thanks and best regards, >> >> Lothar Kimmeringer >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
