Hello Graham, GL> I overhauled mod_headers for Apache v2.0, so I am pretty confident it is GL> a bug. I will look at it sometime this weekend. I agree with you that breaking multiple lines with CRLF and adding HT to the following line will fix the bug of potentially building illegal headers from environment variables. >> You have to do both in any case. The check itself causes the performance >> penalty.
GL> Looking at RFC2616, I don't see any reference to a character set GL> restriction in the headers (but I may have missed it). RFC2616 describes GL> the field-content of a header as: GL> <the OCTETs making up the field-value GL> and consisting of either *TEXT or combinations GL> of token, separators, and quoted-string> GL> It goes on to say that leading and trailing whitespace is ignored, and GL> whitespace interspersed in the header may be replaced with a single GL> space character, but other than that there is no mention of any GL> character set restrictions. Putting arbitrary 8bit characters into headers makes me feel a bit uneasy but I couldn't find a quote that this is forbidden. What do you think about my proposal to add the "E" option with the described behavior to the Header and RequestHeader directive? Keeping in mind that HTTP 1.0 still warns: > However, folding of header lines is not expected by some > applications, and should not be generated by HTTP/1.0 applications. I would be happy to see my proposal making its way in the Apache standard. -- Best regards, Maik
