On Wed, Jan 4, 2017 at 6:57 AM, Yann Ylavic <[email protected]> wrote:
> I'm using a (third-party/closed) module which replaces newlines in
> header values (like base64 encoded PEMs) with obs-fold.
> That's probably obsolete, but not forbidden per se...
Actually, it is, c.f. 3.2.4 of RFC 7230
[...] This specification deprecates such
line folding except within the message/http media type
(Section 8.3.1). A sender MUST NOT generate a message that includes
line folding (i.e., that has any field-value that contains a match to
the obs-fold rule) unless the message is intended for packaging
within the message/http media type.
> How about something like:
>
> Index: modules/http/http_filters.c
> ===================================================================
> --- modules/http/http_filters.c (revision 1776920)
> +++ modules/http/http_filters.c (working copy)
> @@ -701,19 +701,26 @@ static int check_header(void *arg, const char *nam
> return 0;
> }
>
> - if (ctx->strict) {
> - test = ap_scan_http_token(name);
> - }
> - else {
> - test = ap_scan_vchar_obstext(name);
> - }
> - if (*test) {
> - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r, APLOGNO(02429)
> - "Response header name '%s' contains invalid "
> - "characters, aborting request",
> - name);
> - return 0;
> - }
> + test = name;
> + do {
> + if (ctx->strict) {
> + test = ap_scan_http_token(test);
> + }
> + else {
> + test = ap_scan_vchar_obstext(test);
> + }
> + if (*test) {
> + if (test[0] != CR || test[1] != LF || (test[2] != ' ' &&
> + test[2] != '\t')) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, ctx->r,
> APLOGNO(02429)
> + "Response header name '%s' contains invalid "
> + "characters, aborting request",
> + name);
> + return 0;
> + }
> + test += 3;
> + }
> + } while (*test);
>
> test = ap_scan_http_field_content(val);
> if (*test) {
> ?
-1. If we accept obs-fold from CGI, or internally within the
headers_out, we must
replace them with a single SP and conform to the spec on the wire.
