Re: Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25

To: Niko Tyni <ntyni@debian.org>
Cc: debian-apache@lists.debian.org, 849082@bugs.debian.org
Subject: Re: Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25
From: Stefan Fritsch <sf@sfritsch.de>
Date: Sat, 24 Dec 2016 07:02:26 +0100
Message-id: <[🔎] 1665136.gZoAJvp8ER@k>
In-reply-to: <[🔎] 20161223165654.6j6ucx2p6us6xaad@estella.local.invalid>
References: <20161222152324.6hhaicagpibqx33l@estella.local.invalid> <20161222161734.hsyqtg5lrolxcy4q@jadzia.comodo.priv.at> <[🔎] 20161223165654.6j6ucx2p6us6xaad@estella.local.invalid>

On Friday, 23 December 2016 18:56:54 CET Niko Tyni wrote:
> This passage in RFC 7230, section 9.4., seems relevant:
> 
>    A more effective mitigation is to prevent anything other than the
>    server's core protocol libraries from sending a CR or LF within the
>    header section, which means restricting the output of header fields to
>    APIs that filter for bad octets and not allowing application servers
>    to write directly to the protocol stream.
> 
> I would expect mod_perl to be classified as a 'core protocol library' in
> this sense, but I have no idea yet if it's just doing something wrong.
> 
> Patch attached to revert to the old "unsafe" behaviour in the virtual
> host specific to this test.

The problem is that the injected header lines only have a LF and no CR. I  
suggest the attached patch.

rfc7230 3.5 says:

  Although the line terminator for the start-line and header fields is
   the sequence CRLF, a recipient MAY recognize a single LF as a line
   terminator and ignore any preceding CR.

Apache with strict enabled chooses not to implement the MAY. I am not 100% 
sure that this is a good idea, but that is a  different question. In any case, 
mod_perl's test should send a compliant HTTP request.

Cheers,
Stefan

--- ./t/filter/TestFilter/in_bbs_inject_header.pm.orig	2016-10-27 22:11:16.000000000 +0200
+++ ./t/filter/TestFilter/in_bbs_inject_header.pm	2016-12-24 06:55:19.049606491 +0100
@@ -181,7 +181,7 @@
 
         if ($data and $data =~ /^POST/) {
             # demonstrate how to add a header while processing other headers
-            my $header = "$header1_key: $header1_val\n";
+            my $header = "$header1_key: $header1_val\r\n";
             push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
             debug "queued header [$header]";
         }
@@ -199,7 +199,7 @@
             # we hit the headers and body separator, which is a good
             # time to add extra headers:
             for my $key (keys %headers) {
-                my $header = "$key: $headers{$key}\n";
+                my $header = "$key: $headers{$key}\r\n";
                 push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
                 debug "queued header [$header]";
             }

Reply to:

Follow-Ups:
- Re: Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25
  - From: Niko Tyni <ntyni@debian.org>

References:
- Re: Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25
  - From: Niko Tyni <ntyni@debian.org>

Prev by Date: Wheezy update of apache2?
Next by Date: Re: Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25
Previous by thread: Re: Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25
Next by thread: Re: Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25
Index(es):
- Date
- Thread