Content-Length and 400 Bad Request
Added by sfcreate over 15 years ago
Hi,
I've tested on lighttpd 1.4.21 and 1.4.23. We have a 3rd party application that is sending header information to our lighttpd server and generating a 400 Bad Request. I've used telnet to try to replicate the issue and this is what I've found.
server> telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /path/to/script.php HTTP/1.1
host: <removed host>
Content-type: text/html; charset=UTF-8
Content-length: 5
HTTP/1.0 400 Bad Request
Content-Type: text/html
Content-Length: 349
Connection: close
Date: Tue, 18 Aug 2009 16:39:01 GMT
Server: lighttpd
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>400 - Bad Request</title>
</head>
<body>
<h1>400 - Bad Request</h1>
</body>
</html>
Connection closed by foreign host.
If I remove the content-length I get a valid 200 response.
server> telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /path/to/script.php HTTP/1.1
host: <removed host>
Content-type: text/html; charset=UTF-8
HTTP/1.0 200 OK
X-Powered-By: PHP/5.2.6
Content-type: text/html; charset=iso-8859-1
Content-Length: 5
Connection: close
Date: Tue, 18 Aug 2009 16:57:49 GMT
Server: lighttpd
Any idea on what is the correct way to use Content-Length? I've tested on Apache 2.2.9 and the content-length works fine, generating a valid 200 response.
Replies (4)
RE: Content-Length and 400 Bad Request - Added by penma over 15 years ago
It's disabled on purpose. There's no purpose in sending a content length with a GET request because there isn't any data being sent by the client with a GET request anyway. In that sense, the Content-Length header that the app sends is completely bogus anyway, because there is nothing the content length could apply to.
You should probably fix the remote app, or if you cannot do that for some reason, comment the check for bogus headers out for yourself (src/request.c around a line like /* content-length is forbidden for those */)
RE: Content-Length and 400 Bad Request - Added by sfcreate over 15 years ago
Thanks. You are correct. I changed to POST and it worked fine, which is what they will be sending. It looks like it was a different issue altogether though. There's an extra space after POST:
POST /path/to/script.php HTTP/1.1
host: <removed host>
Content-type: text/html; charset=UTF-8
Content-length: 5
that breaks with lighttpd and works with Apache. Don't ask me why they've decided to add an extra space after POST.
RE: Content-Length and 400 Bad Request - Added by penma over 15 years ago
HTTP 1.1 standard says:
The Request-Line begins with a method token, followed by the
Request-URI and the protocol version, and ending with CRLF. The
elements are separated by SP characters. No CR or LF is allowed
except in the final CRLF sequence.Request-Line = Method SP Request-URI SP HTTP-Version CRLF? http://tools.ietf.org/html/rfc2616#section-5.1
Read: it is illegal for a client to put more than one space between the method and the URL, even if Apache happens to allow that.
RE: Content-Length and 400 Bad Request - Added by sfcreate over 15 years ago
Definitely understand. I was just pointing out the difference in case anyone else runs across this issue. Going to try to work with the 3rd party folks. Thanks for the help!