On Friday, 23 December 2016 18:56:54 CET Niko Tyni wrote:
> This passage in RFC 7230, section 9.4., seems relevant:
>
> A more effective mitigation is to prevent anything other than the
> server's core protocol libraries from sending a CR or LF within the
> header section, which means restricting the output of header fields to
> APIs that filter for bad octets and not allowing application servers
> to write directly to the protocol stream.
>
> I would expect mod_perl to be classified as a 'core protocol library' in
> this sense, but I have no idea yet if it's just doing something wrong.
>
> Patch attached to revert to the old "unsafe" behaviour in the virtual
> host specific to this test.
The problem is that the injected header lines only have a LF and no CR. I
suggest the attached patch.
rfc7230 3.5 says:
Although the line terminator for the start-line and header fields is
the sequence CRLF, a recipient MAY recognize a single LF as a line
terminator and ignore any preceding CR.
Apache with strict enabled chooses not to implement the MAY. I am not 100%
sure that this is a good idea, but that is a different question. In any case,
mod_perl's test should send a compliant HTTP request.
Cheers,
Stefan
--- ./t/filter/TestFilter/in_bbs_inject_header.pm.orig 2016-10-27 22:11:16.000000000 +0200
+++ ./t/filter/TestFilter/in_bbs_inject_header.pm 2016-12-24 06:55:19.049606491 +0100
@@ -181,7 +181,7 @@
if ($data and $data =~ /^POST/) {
# demonstrate how to add a header while processing other headers
- my $header = "$header1_key: $header1_val\n";
+ my $header = "$header1_key: $header1_val\r\n";
push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
debug "queued header [$header]";
}
@@ -199,7 +199,7 @@
# we hit the headers and body separator, which is a good
# time to add extra headers:
for my $key (keys %headers) {
- my $header = "$key: $headers{$key}\n";
+ my $header = "$key: $headers{$key}\r\n";
push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
debug "queued header [$header]";
}