On Tue, Jan 28, 2003 at 02:50:54PM +0000, Matt Sergeant wrote:
> For geoff...
>
> On Tue, 28 Jan 2003, Matt Sergeant wrote:
>
> > Index: src/main/http_protocol.c
> > ===================================================================
> > RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
> > retrieving revision 1.329
> > diff -u -r1.329 http_protocol.c
> > --- src/main/http_protocol.c 3 Oct 2002 20:51:53 -0000 1.329
> > +++ src/main/http_protocol.c 28 Jan 2003 11:26:37 -0000
> > @@ -1561,8 +1561,16 @@
> > const char *fieldname,
> > const char *fieldval)
> > {
> > + char *line_feed;
> > if (strcasecmp(fieldname, "ETag") == 0) {
> > if (ap_table_get(r->notes, "no-etag") != NULL) {
> > + return 1;
> > + }
> > + }
> > + if ((line_feed = strchr(fieldval, '\n')) != NULL) {
>
> If we find a line feed anywhere, the the line_feed variable points to the
> line feed character.
>
> Now headers in RFC terms can have continuations, which means something
> like:
>
> Refresh: 1;
> url=/foo
>
> So basically a continuation is CRLF WS+ ...
>
> So all we have to do is look for whitespace (space or horizontal tab)
> after the line feed. And that's at line_feed[1]. Anything else is invalid.
thanks for the explanation, I was wondering about it too.
> > + /* don't allow any headers with line feeds in them */
> > + if (line_feed[1] != ' ' && line_feed[1] != '\t') {
> > + /* unless it's a continuation */
> > return 1;
> > }
> > }
Would you consider what I was trying to do in my patch? To just not
discard the header line but rather just terminate when you discover
\n or \r (and not a continuation following).
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
