Bug 1420104 - request contains solely FL on the end of the lines triggers bad request
Summary: request contains solely FL on the end of the lines triggers bad request
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: httpd
Version: 6.9
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik ✈
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-07 20:22 UTC by Jan Houska
Modified: 2019-02-15 15:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-07 20:39:05 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jan Houska 2017-02-07 20:22:51 UTC
Description of problem:
Previous httpd version accepted requests with only FL on the end of the lines, not mentioned in specification. The current version is now following the specification too tight. The response is now Bad Request, unlike accepted. 


Version-Release number of selected component (if applicable):
httpd-2.2.15-60.el6


How reproducible:
always

Steps to Reproduce:
1. create request containing "\n" not "\r\n" as end line mark. 
2. send the request to the httpd


Actual results:
Server is responding:
HTTP/1.1 400 Bad Request



Expected results:
Connection passing. Server response is sane...

Additional info:
Mentioned behaviour is a regression in behaviour. We assume that keeping the specification too tight now will generate too much problems to the customers.

Comment 1 Joe Orton 2017-02-07 20:39:05 UTC
Being relaxed in what is accepted here is a vulnerability, CVE-2016-8743, and hence that is being changed by default.

The option:

   HttpProtocolOptions unsafe 

has been added, which can be used to restore the old behaviour.

http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions

Comment 2 Jan Houska 2019-02-15 15:55:38 UTC
Explanation is sufficient.


Note You need to log in before you can comment on or make changes to this bug.