Project

General

Profile

[Solved] Invalid character in URI -> 400 /?a=%09Brooklyn

Added by Olaf-van-der-Spek about 1 year ago

Hi,

Invalid character in URI -> 400 /?a=%09Brooklyn

What's invalid here? The tab (%09) might be weird but it shouldn't be invalid.

V: 1.4.53-4 @ Debian 10


Replies (10)

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by gstrauss about 1 year ago

The last two lighttpd releases explicitly highlighted an upcoming behavior change. Do you even read lighttpd's front page? https://www.lighttpd.net/

server.http-parseopts

"url-ctrls-reject" => "enable" 
reject any percent-encoded control chars

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by Olaf-van-der-Spek about 1 year ago

Beginning in Q1 2019, lighttpd defaults are scheduled to change to perform limited URL normalization on HTTP requests.

Has this change happened yet?

The lighttpd default will become server.http-parseopts = (“url-normalize-unreserved” => “enable”, “url-path-2f-decode” => “enable”)

"url-ctrls-reject" isn't in there.

The recommended settings for server.http-parseopts are the following,
"url-ctrls-reject" => "enable",

What's the rationale for disallowing tab (and lf?) in query string arguments?

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by gstrauss about 1 year ago

How small a spoon do you need to be fed with?

Check your lighttpd.conf where this has been enabled by default since Debian package lighttpd 1.4.52-4

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by Olaf-van-der-Spek about 1 year ago

Smallest spoon you've got please.

I know where it's enabled..
I don't know why it's enabled.
And I think it shouldn't be enabled.

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by gstrauss about 1 year ago

I don't know why it's enabled.
And I think it shouldn't be enabled.

Your statement of these two sentences, one right after the other, demonstrates to everyone with a clue that you do not have one, and that you are an uninformed troll. You will continued to be treated as such until you have some self-realization that you are not half as clever as you think you are.

Your uninformed opinions continue to be unwelcome here. I do not have any responsibility to disabuse you from your poorly constructed conclusions. In many interactions on this forum and on Debian lighttpd bug reports, you have not demonstrated to me that you have good sense and you do not have any credibility with me. Please cease posting your opinions.

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by Olaf-van-der-Spek about 1 year ago

You still haven't explained why it's considered invalid..

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by gstrauss about 1 year ago

You still haven't explained why it's considered invalid..

%09 and %7F (among others) are percent-encoded control characters.

"url-ctrls-reject" => "enable" 
    reject any percent-encoded control chars

If it is unclear to you that this is documented and intended behavior, please ask a friend to help you understand English. doc:server.http-parseopts
If it is unclear to you that this behavior is documented and user-configurable, please ask a friend to help you understand "configuration" files.

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by Olaf-van-der-Spek about 1 year ago

I'm asking you WHY it's intended behavior..

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by carpii about 1 year ago

I can understand your frustration if someone isn't reading the release notes, but these sort of hostile responses are really unnecessary IMO

As a huge fan of (and fairly regular donator to) lighty, we already know you do a lot of great work with lighty. Nobody questions that.

But please, could you consider not treating questions as a personal criticism?
It's not healthy for the project. Better to just post a link to the RFC, or even just close the ticket without a response

Just my thoughts anyway. Feel free to ignore/dismiss/delete them

Not looking to resurrect an argument, I just want what is best for the projects longevity

RE: [Solved] Invalid character in URI -> 400 /?a=%09Brooklyn - Added by arekm 9 months ago

request tracker ([commercial link deleted]) needs:

server.http-parseopts = ( "url-ctrls-reject" => "disable", "url-path-2f-decode" => "disable" )

to be working again. Just in case some other rt user will end up in this thread after googling.

    (1-10/10)