Re: why does latest jessie apache2 reject _ in http request path?
Juha Heinanen writes:
> Thanks for your answer. The request below works over TLS in apache2
> 2.4.10-10+deb8u7, but fails in 2.4.10-10+deb8u8 unless I turn on
>
> #HttpProtocolOptions unsafe
>
> There is crlf after each line and there are no tabs.
>
> I can't figure out what is wrong with it.
Now when I compare HTTP version of the client to HTTPS version, I see
difference. The client is written in PHP and if HTTP is used, the
request is set like this:
$headers =
"POST $location HTTP/1.1\r\n" .
"Host: $site\r\n" .
"Connection: close\r\n" .
"Content-Type: text/xml\r\n" .
"Content-Length: " . strlen($data) . "\r\n\r\n";
But if HTTPS is used, the request is set like this:
curl_setopt($curl, CURLOPT_HTTPHEADER,
array('Content-Type: text/xml',
'POST $location HTTP/1.1',
'Host: $site',
'Connection: close',
'Content-Type: text/xml',
'Content-Length: ' . strlen($data)));
Perhaps curl_setops() does not properly add crlf after each header line?
I'll investigate.
-- Juha
Reply to: