Search squid archive

Re: Can a space after HTTP/1.1 be allowed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/11/2012 1:53 a.m., Ralf Hildebrandt wrote:
A broken application sends this request to our Squid-3.1.21:

"CONNECT gateway.push.apple.com:2195 HTTP/1.1"
(note the trailing space!)

which results in "HTTP/1.0 400 Bad Request"

And indeed:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1
together with
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.1
clearly define that there must be a CRLF after the HTTP Version, no
spaces are allowed.

Exactly. The reasons are not well documented in RFC 2616, but see:
 http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-21#section-3.1.1

"

   Unfortunately, some user agents fail to properly encode hypertext
   references that have embedded whitespace, sending the characters
   directly instead of properly percent-encoding the disallowed
   characters.  Recipients of an invalid request-line SHOULD respond
   with either a 400 (Bad Request) error or a 301 (Moved Permanently)
   redirect with the request-target properly encoded.  Recipients SHOULD
   NOT attempt to autocorrect and then process the request without a
   redirect, since the invalid request-line might be deliberately
   crafted to bypass security filters along the request chain.
"


Squid is following the first option. There are two types of broken lients.

The mandatory response is a "400 Bad Request" as you see.

Essentially there are two types of broken clients. Squid is tolerant for the more common form of breakage (whitespace in URL field) but that prohibits us tolerating the rarer cases of whitespace in the method and version fields.


Still, it's easier to have a workaround in squid than to get a big,
three letter company to fix their software.

Do name them please. Or at least the broken agent you uncovered. The HTTPbis WG has an interest in what software is violating HTTP and has a little extra pressure to add towards its fix. Most of the big-name companies of today have been involved in writing that text about request-line anyway and can be expected to follow the agreed standard.

Is there a way for me to relax that particular check?


No. Sorry. see above.

I am trying to get some better smarts into Squid on non-GET methods like this. But it has turned out to be trickier than one would think.

Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux