[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: why does latest jessie apache2 reject _ in http request path?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 08, 2017 at 11:34:54AM +0200, Juha Heinanen wrote:
> tomas@tuxteam.de writes:
> 
> > Note the underscored parts. You are talking about (path) segments.

[...]

> Thanks for your answer.  The request below works over TLS in apache2
> 2.4.10-10+deb8u7, but fails in 2.4.10-10+deb8u8 unless I turn on
> 
> #HttpProtocolOptions unsafe
> 
> There is crlf after each line and there are no tabs.
> 
> I can't figure out what is wrong with it.
> 
> -- Juha
> 
> ########
> T 2017/03/08 11:28:05.427711 127.0.0.1:49612 -> 127.0.0.1:80 [AP]
> POST /manager/xml-rpc-server.php HTTP/1.1.
> Host: 127.0.0.1.
> Connection: close.
> Content-Type: text/xml.
> Content-Length: 841.

Hm. I haven't the resources to track down everything, but I'd try first
changing the host to localhost (although rfc3986 explicitly allows a
"naked" ipv4 address as host part). A quick and brainless search points
to Debian bug 849082 [1], which mentions rfc7230 as reference (this seems
at first glance to refer back to 3986 and to *still* allow naked ipv4
addresses as host part, though).

Keep us updated :-)

regards

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849082
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAli/1FAACgkQBcgs9XrR2kYWQgCfQc0trfHuqfXj4MnBaYNeq7Xm
8D0AnRGSMxuTJr5GBLKVfk367/Cj3asV
=5Pml
-----END PGP SIGNATURE-----
Reply to: