[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25

On Friday, 23 December 2016 18:56:54 CET Niko Tyni wrote:
> This passage in RFC 7230, section 9.4., seems relevant:
>    A more effective mitigation is to prevent anything other than the
>    server's core protocol libraries from sending a CR or LF within the
>    header section, which means restricting the output of header fields to
>    APIs that filter for bad octets and not allowing application servers
>    to write directly to the protocol stream.
> I would expect mod_perl to be classified as a 'core protocol library' in
> this sense, but I have no idea yet if it's just doing something wrong.
> Patch attached to revert to the old "unsafe" behaviour in the virtual
> host specific to this test.

The problem is that the injected header lines only have a LF and no CR. I  
suggest the attached patch.

rfc7230 3.5 says:

  Although the line terminator for the start-line and header fields is
   the sequence CRLF, a recipient MAY recognize a single LF as a line
   terminator and ignore any preceding CR.

Apache with strict enabled chooses not to implement the MAY. I am not 100% 
sure that this is a good idea, but that is a  different question. In any case, 
mod_perl's test should send a compliant HTTP request.

--- ./t/filter/TestFilter/in_bbs_inject_header.pm.orig	2016-10-27 22:11:16.000000000 +0200
+++ ./t/filter/TestFilter/in_bbs_inject_header.pm	2016-12-24 06:55:19.049606491 +0100
@@ -181,7 +181,7 @@
         if ($data and $data =~ /^POST/) {
             # demonstrate how to add a header while processing other headers
-            my $header = "$header1_key: $header1_val\n";
+            my $header = "$header1_key: $header1_val\r\n";
             push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
             debug "queued header [$header]";
@@ -199,7 +199,7 @@
             # we hit the headers and body separator, which is a good
             # time to add extra headers:
             for my $key (keys %headers) {
-                my $header = "$key: $headers{$key}\n";
+                my $header = "$key: $headers{$key}\r\n";
                 push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
                 debug "queued header [$header]";

Reply to: