Bug 1420104 - request contains solely FL on the end of the lines triggers bad request
Summary: request contains solely FL on the end of the lines triggers bad request
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: httpd
Version: 6.9
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: BaseOS QE - Apps
Depends On:
TreeView+ depends on / blocked
Reported: 2017-02-07 20:22 UTC by Jan Houska
Modified: 2019-02-15 15:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-02-07 20:39:05 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Jan Houska 2017-02-07 20:22:51 UTC
Description of problem:
Previous httpd version accepted requests with only FL on the end of the lines, not mentioned in specification. The current version is now following the specification too tight. The response is now Bad Request, unlike accepted. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create request containing "\n" not "\r\n" as end line mark. 
2. send the request to the httpd

Actual results:
Server is responding:
HTTP/1.1 400 Bad Request

Expected results:
Connection passing. Server response is sane...

Additional info:
Mentioned behaviour is a regression in behaviour. We assume that keeping the specification too tight now will generate too much problems to the customers.

Comment 1 Joe Orton 2017-02-07 20:39:05 UTC
Being relaxed in what is accepted here is a vulnerability, CVE-2016-8743, and hence that is being changed by default.

The option:

   HttpProtocolOptions unsafe 

has been added, which can be used to restore the old behaviour.


Comment 2 Jan Houska 2019-02-15 15:55:38 UTC
Explanation is sufficient.

Note You need to log in before you can comment on or make changes to this bug.