Bug #1822

400 Bad Request for ASCII char 9 in header (TAB)

Added by metula about 7 years ago. Updated almost 7 years ago.

Status:FixedStart date:2008-11-17
Priority:HighDue date:
Assignee:-% Done:


Target version:1.4.22
Missing in 1.5.x:


We're using Lighty V1.4.20 as a reverse-proxy and have a wide array of clients from Java web-start to various mobile phones

Today we saw an issue where one of the clients (a Java web-start app) was making a multi-part request with the following Header:

Content-Type: multipart/related; type="text/xml"; start="<6EC65C8AC8AAEB26C7CA25037E6CC792>"; boundary="----=_Part_99_10717046.1226929076094"

Lighty was responding with HTTP code 400 - Bad Request.

What you can't see there is that the semi-colons are followed by TAB characters (ASCII 9). I had a quick look at RFC 2616 which suggests that this is legal (although unnecessary). We have patched the code in request.c line 1023 as follows:

< if (*cur >= 0 && *cur < 32) {

if ( (*cur >= 0 && *cur < 32) && (*cur!=9)) {

thus allowing char 9 - this is a simplistic fix and may go against the spec in some other way - however - it's working for now!

Associated revisions

Revision 2391
Added by stbuehler almost 7 years ago

Allow tabs in header values (fixes #1822)


#1 Updated by icy almost 7 years ago

  • Target version changed from 1.4.21 to 1.4.22

#2 Updated by stbuehler almost 7 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2391.

Also available in: Atom