Just FWIW, this still is not fixed for the legacy header parser. It *is* now fixed for the HTTP Request Line parser. Relaxing the whitespace rule (as we still do by default) only lets 1+ SP/HTAB slip through, and then recomposes with single SP delimiters.
Of the subset \f \r \v \n I can't think of any possible application. Whitespace of ' ' and \t makes (some) sense in the real world. If anyone has a real-world example of a user-agent which used these legitimately, I'd love a pointer. On Thu, Aug 18, 2016 at 4:34 AM, Plüm, Rüdiger, Vodafone Group < [email protected]> wrote: > +1 > > Regards > > Rüdiger > > > -----Original Message----- > > From: Jacob Champion [mailto:[email protected]] > > Sent: Donnerstag, 4. August 2016 22:35 > > To: [email protected] > > Subject: Re: svn commit: r1754548 - /httpd/httpd/trunk/server/protocol.c > > > > On 08/04/2016 01:11 PM, William A Rowe Jr wrote: > > > At our kindest, we would like to let people keep upgrading on the 2.2 > > > or 2.4 branches of httpd for other fixes, without breaking their > > > deployments. > > > > > > I'm 100% in favor of recognizing-and-rejecting (and terminating the > > > connection) for any obs-fold occurrences on 2.6 / 3.0, if that's the > > > group consensus. > > > > +1 to both. > > > > --Jacob > >
