Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On Nov 16, 2016 20:29, "Jacob Champion" wrote: > > On 11/16/2016 05:01 AM, William A Rowe Jr wrote: >> >> We need to tolerate their presence. But we should ignore the guidance that >> sf originally quoted, that the URI host supersedes the Host header, it does >> not, they

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On 11/16/2016 04:32 AM, Ruediger Pluem wrote: (but what has precedence in this case host or request) The "effective request URI", as defined by Section 5.5, seems to be pretty clear that if the request-target is absolute, the Host header is irrelevant: If the request-target is in

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On 11/16/2016 05:01 AM, William A Rowe Jr wrote: We need to tolerate their presence. But we should ignore the guidance that sf originally quoted, that the URI host supersedes the Host header, it does not, they are two different entities it the proxy case The "different entities" interpretation

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On Wed, Nov 16, 2016 at 1:32 PM, Ruediger Pluem wrote: > > On 11/16/2016 01:08 PM, William A Rowe Jr wrote: > > > > Here's why I think the whole logic is busted and the preserve > r->hostname is > > the right thing to do for the outer request (not a child/client request > to

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On 11/16/2016 01:08 PM, William A Rowe Jr wrote: > On Tue, Nov 8, 2016 at 1:39 PM, Ruediger Pluem > wrote: > > > On 11/04/2016 03:20 PM, wr...@apache.org wrote: > > Author: wrowe > > Date: Fri Nov 4 14:20:16

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On Tue, Nov 8, 2016 at 1:39 PM, Ruediger Pluem wrote: > > On 11/04/2016 03:20 PM, wr...@apache.org wrote: > > Author: wrowe > > Date: Fri Nov 4 14:20:16 2016 > > New Revision: 1768036 > > > > URL: http://svn.apache.org/viewvc?rev=1768036=rev > > Log: > > Add an option to

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On 11/04/2016 03:20 PM, wr...@apache.org wrote: > Author: wrowe > Date: Fri Nov 4 14:20:16 2016 > New Revision: 1768036 > > URL: http://svn.apache.org/viewvc?rev=1768036=rev > Log: > Add an option to enforce stricter HTTP conformance > > This is a first stab, the checks will likely have to be

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On Fri, Nov 4, 2016 at 12:46 PM, Jacob Champion wrote: > [spec discussion] > > On 11/04/2016 09:40 AM, William A Rowe Jr wrote: > >> On Fri, Nov 4, 2016 at 9:47 AM, Eric Covener > > wrote: >> >>> There is even an example with no

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

[spec discussion] On 11/04/2016 09:40 AM, William A Rowe Jr wrote: On Fri, Nov 4, 2016 at 9:47 AM, Eric Covener > wrote: There is even an example with no scheme: Location: /People.html#tim Not valid as a request (fragment not allowed)

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On Fri, Nov 4, 2016 at 11:40 AM, William A Rowe Jr wrote: > > Give me about 24 hours to complete all this work, end of day today > is my most optimistic timetable. Then we can discuss the resulting > delta as a single unit/backport vote. Because of a huge number of >

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On Fri, Nov 4, 2016 at 9:47 AM, Eric Covener wrote: > On Fri, Nov 4, 2016 at 10:20 AM, wrote: > > * that the Location response header (if present) has a valid scheme and > is > >absolute > > Too strict? > >

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On Fri, 2016-11-04 at 10:47 -0400, Eric Covener wrote: > Too strict? Be conservative in what you send. An Absolute URL is never going to be the wrong thing to send. > https://tools.ietf.org/html/rfc7231#section-7.1.2 Another change from the HTTP RFCs we learned, where Location MUST be

Re: svn commit: r1768036 - in /httpd/httpd/branches/2.4.x-merge-http-strict: ./ CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c

On Fri, Nov 4, 2016 at 10:20 AM, wrote: > * that the Location response header (if present) has a valid scheme and is >absolute Too strict? https://tools.ietf.org/html/rfc7231#section-7.1.2 The "Location" header field is used in some responses to refer to a