Le 18/02/2019 à 23:55, Gregg Smith a écrit :
When setting a header it used to set the header case-sensitive as
configured. Now with 2.4.38 it sets in all lower case. Regression?
Header always set X-Xss-Protection "1; mode=block"
Result;
2.4.37: X-Xss-Protection: 1; mode=block
2.4.38: x-xss-protection: 1; mode=block
If I'm reading the RFC correctly, sensitivity doesn't matter when
parsing the header but the 2.4 docs show it outputting as configured
as 2.4 has been prior to .38.
Cheers
G
Hi,
Everything looks fine to me.
I'm currently working on extending headers.t in order to test things
other than ('set', 'append', 'add', 'unset');
If I add a specific test for 'set', with 2.4.39(dev), I get the
following log:
Header received n°0:
header: X-Xss-Protection
expected: 1; mode=block
received: 1; mode=block
Response received is:
HTTP/1.1 200 OK
Connection: close
Date: Tue, 19 Feb 2019 05:28:56 GMT
Accept-Ranges: bytes
ETag: "0-52169385a8a8a"
Server: Apache/2.4.39-dev (Unix) OpenSSL/1.1.1
Vary: In-If1
Content-Length: 0
Content-Type: text/html
Last-Modified: Tue, 06 Oct 2015 05:51:24 GMT
Client-Date: Tue, 19 Feb 2019 05:28:56 GMT
Client-Peer: 127.0.0.1:8529
Client-Response-Num: 1
DMMATCH1: 1
X-Xss-Protection: 1; mode=block
ok 372
So, the case looks good to me.
If it helps, I can provide the updated headers.t as-is.
It still needs more cases (and probably some perl syntax clean-up ).
I also plan to update the doc, at least about the 'echo' command.
Doc states that in 'echo' command, 'header' MAY be a regular
expression. In fact it IS ALWAYS considered as a regex and "header echo
x" echoes everything that has a 'x'. Should you want only 'x',
apparently you need something like "header echo ^x$".
What do you mean by "the 2.4 docs show it outputting as configured as
2.4 has been prior to .38"?
CJ
