That would have been a good fix to include, but the release has been tagged. If it is voted down on some other defects and we roll 2.2.34, I would concur. But there is no defined single char header, and x- headers are always 3+ chars by definition. So I don't look at this one as a showstopper.
>From here on out, all defect fixes will be up to the end user to patch, I'm most concerned about getting a release with the full assortment of security fixes into users's hands reminding them the branch is EOL now, as we close the 2.2 chapter. On Jun 25, 2017 4:56 PM, "Mark Blackman" <m...@exonetric.com> wrote: > > On 14 Jun 2017, at 22:12, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > > Thoughts/comments? Patches to hold for before we roll? If I don't hear > otherwise, and we stick to the simpler alternative, then I'd plan to roll > these candidates Thursday. > > > Would it be an option to get a fix in for the single-character header bug? > ( https://bz.apache.org/bugzilla/show_bug.cgi?id=61220 ) > > If you add > > HttpProtocolOptions Unsafe LenientMethods Allow0.9 > > to a default httpd.conf > > single character header lines are rejected with a 400 code. > > macmini:httpd-2.2.33 mark$ telnet localhost 8033 > Trying ::1... > Connected to localhost. > Escape character is '^]'. > GET / HTTP/1.1 > Host: foobar > x: 0 > > HTTP/1.1 400 Bad Request > Date: Sun, 25 Jun 2017 21:43:53 GMT > Server: Apache/2.2.33 (Unix) > Content-Length: 226 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>400 Bad Request</title> > </head><body> > <h1>Bad Request</h1> > <p>Your browser sent a request that this server could not understand.<br /> > </p> > </body></html> > Connection closed by foreign host. > >
