On Wed, Jan 4, 2017 at 6:57 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > I'm using a (third-party/closed) module which replaces newlines in > header values (like base64 encoded PEMs) with obs-fold. > That's probably obsolete, but not forbidden per se...
Actually, it is, c.f. 3.2.4 of RFC 7230 [...] This specification deprecates such line folding except within the message/http media type (Section 8.3.1). A sender MUST NOT generate a message that includes line folding (i.e., that has any field-value that contains a match to the obs-fold rule) unless the message is intended for packaging within the message/http media type. > How about something like: > > Index: modules/http/http_filters.c > =================================================================== > --- modules/http/http_filters.c (revision 1776920) > +++ modules/http/http_filters.c (working copy) > @@ -701,19 +701,26 @@ static int check_header(void *arg, const char *nam > return 0; > } > > - if (ctx->strict) { > - test = ap_scan_http_token(name); > - } > - else { > - test = ap_scan_vchar_obstext(name); > - } > - if (*test) { > - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429) > - "Response header name '%s' contains invalid " > - "characters, aborting request", > - name); > - return 0; > - } > + test = name; > + do { > + if (ctx->strict) { > + test = ap_scan_http_token(test); > + } > + else { > + test = ap_scan_vchar_obstext(test); > + } > + if (*test) { > + if (test[0] != CR || test[1] != LF || (test[2] != ' ' && > + test[2] != '\t')) { > + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, > APLOGNO(02429) > + "Response header name '%s' contains invalid " > + "characters, aborting request", > + name); > + return 0; > + } > + test += 3; > + } > + } while (*test); > > test = ap_scan_http_field_content(val); > if (*test) { > ? -1. If we accept obs-fold from CGI, or internally within the headers_out, we must replace them with a single SP and conform to the spec on the wire.