Project

General

Profile

Actions

Bug #1098

closed

Trailing spaces in urls are not tolerated

Added by Anonymous over 17 years ago. Updated 10 months ago.

Status:
Invalid
Priority:
Normal
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:
No

Description

We are using lighttpd in a surveilance camera application. Some of the systems we need to interface to send a trailing space on most lines of the http requests they make. The following code appears in a couple of places:

r = strtoll(ds->value->ptr, &err, 10);
if (*err != '\0') {

This test relies on their being no characters after the last digit before the end of the input string. The following tests for valid digits being found:

if (err != ds->value->ptr) {

May I request that the parser be tolerant to sequences of multiple spaces interspersed at any point where a space is legal and at the end of lines.

-- gcleary


Files

diff (629 Bytes) diff diff with fix for request.c -- gcleary Anonymous, 2007-03-30 19:16
Actions #1

Updated by jan over 17 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r1727

Actions #2

Updated by Anonymous over 17 years ago

  • Status changed from Fixed to Need Feedback
  • Resolution deleted (fixed)

Thanks for the fix for trailing spaces in 1.4, however the system lighttpd is serving to, makes the following request which fails with error "overlong request line -> 400" due to the multiple embedded spaces. The parser needs to eat multiple spaces wherever a space is legal.

The failing request header is:

00000000 50 4f 53 54 20 2f 6d 70 65 67 34 2f 31 2f 6d 65 POST /mp eg4/1/me
00000010 64 69 61 2e 61 6d 70 20 48 54 54 50 2f 31 2e 30 dia.amp HTTP/1.0
00000020 20 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a ..Conte nt-Type:
00000030 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 72 applica tion/x-r
00000040 74 73 70 2d 74 75 6e 6e 65 6c 6c 65 64 20 0d 0a tsp-tunn elled ..
00000050 78 2d 73 65 73 73 69 6f 6e 63 6f 6f 6b 69 65 3a x-sessio ncookie:
00000060 20 20 39 34 34 33 35 33 32 30 30 20 0d 0a 43 6f 944353 200 ..Co
00000070 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 20 33 ntent-Le ngth: 3
00000080 32 37 36 37 20 0d 0a 43 6f 6e 6e 65 63 74 69 6f 2767 ..C onnectio
00000090 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 20 0d 0a n: Keep- Alive ..
000000A0 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 Pragma: no-cache
000000B0 20 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c ..Cache -Control
000000C0 3a 20 6e 6f 2d 63 61 63 68 65 20 0d 0a 45 78 70 : no-cac he ..Exp
000000D0 69 72 65 73 3a 20 53 75 6e 2c 20 39 20 4a 61 6e ires: Su n, 9 Jan
000000E0 20 31 39 37 32 20 30 30 3a 30 30 3a 30 30 20 47 1972 00 :00:00 G
000000F0 4d 54 20 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 MT ..Aut horizati
00000100 6f 6e 3a 20 42 61 73 69 63 20 20 63 6d 39 76 64 on: Basi c cm9vd
00000110 44 70 68 65 47 6c 7a 63 33 56 6a 61 33 4d 3d 20 DpheGlzc 3Vja3M=

-- gcleary

Actions #3

Updated by Anonymous over 17 years ago

Better formatting....


00000000  50 4f 53 54 20 2f 6d 70  65 67 34 2f 31 2f 6d 65 POST /mp eg4/1/me
00000010  64 69 61 2e 61 6d 70 20  48 54 54 50 2f 31 2e 30 dia.amp  HTTP/1.0
00000020  20 0d 0a 43 6f 6e 74 65  6e 74 2d 54 79 70 65 3a  ..Conte nt-Type:
00000030  20 61 70 70 6c 69 63 61  74 69 6f 6e 2f 78 2d 72  applica tion/x-r
00000040  74 73 70 2d 74 75 6e 6e  65 6c 6c 65 64 20 0d 0a tsp-tunn elled ..
00000050  78 2d 73 65 73 73 69 6f  6e 63 6f 6f 6b 69 65 3a x-sessio ncookie:
00000060  20 20 39 34 34 33 35 33  32 30 30 20 0d 0a 43 6f   944353 200 ..Co
00000070  6e 74 65 6e 74 2d 4c 65  6e 67 74 68 3a 20 20 33 ntent-Le ngth:  3
00000080  32 37 36 37 20 0d 0a 43  6f 6e 6e 65 63 74 69 6f 2767 ..C onnectio
00000090  6e 3a 20 4b 65 65 70 2d  41 6c 69 76 65 20 0d 0a n: Keep- Alive ..
000000A0  50 72 61 67 6d 61 3a 20  6e 6f 2d 63 61 63 68 65 Pragma:  no-cache
000000B0  20 0d 0a 43 61 63 68 65  2d 43 6f 6e 74 72 6f 6c  ..Cache -Control
000000C0  3a 20 6e 6f 2d 63 61 63  68 65 20 0d 0a 45 78 70 : no-cac he ..Exp
000000D0  69 72 65 73 3a 20 53 75  6e 2c 20 39 20 4a 61 6e ires: Su n, 9 Jan
000000E0  20 31 39 37 32 20 30 30  3a 30 30 3a 30 30 20 47  1972 00 :00:00 G
000000F0  4d 54 20 0d 0a 41 75 74  68 6f 72 69 7a 61 74 69 MT ..Aut horizati
00000100  6f 6e 3a 20 42 61 73 69  63 20 20 63 6d 39 76 64 on: Basi c  cm9vd
00000110  44 70 68 65 47 6c 7a 63  33 56 6a 61 33 4d 3d 20 DpheGlzc 3Vja3M= 
Actions #4

Updated by Anonymous over 17 years ago

50 4f 53 54 20 2f 6d 70 65 67 34 2f 31 2f 6d 65

Actions #5

Updated by Anonymous over 17 years ago

00000000 50 4f 53 54 20 2f 6d 70 65 67 34 2f 31 2f 6d 65 POST /mp eg4/1/me 00000010 64 69 61 2e 61 6d 70 20 48 54 54 50 2f 31 2e 30 dia.amp HTTP/1.0 00000020 20 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a ..Conte nt-Type: 00000030 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 72 applica tion/x-r 00000040 74 73 70 2d 74 75 6e 6e 65 6c 6c 65 64 20 0d 0a tsp-tunn elled .. 00000050 78 2d 73 65 73 73 69 6f 6e 63 6f 6f 6b 69 65 3a x-sessio ncookie: 00000060 20 20 39 34 34 33 35 33 32 30 30 20 0d 0a 43 6f 944353 200 ..Co 00000070 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 20 33 ntent-Le ngth: 3 00000080 32 37 36 37 20 0d 0a 43 6f 6e 6e 65 63 74 69 6f 2767 ..C onnectio 00000090 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 20 0d 0a n: Keep- Alive .. 000000A0 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 Pragma: no-cache 000000B0 20 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c ..Cache -Control 000000C0 3a 20 6e 6f 2d 63 61 63 68 65 20 0d 0a 45 78 70 : no-cac he ..Exp 000000D0 69 72 65 73 3a 20 53 75 6e 2c 20 39 20 4a 61 6e ires: Su n, 9 Jan 000000E0 20 31 39 37 32 20 30 30 3a 30 30 3a 30 30 20 47 1972 00 :00:00 G 000000F0 4d 54 20 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 MT ..Aut horizati 00000100 6f 6e 3a 20 42 61 73 69 63 20 20 63 6d 39 76 64 on: Basi c cm9vd 00000110 44 70 68 65 47 6c 7a 63 33 56 6a 61 33 4d 3d 20 DpheGlzc? 3Vja3M=

Actions #6

Updated by stbuehler about 16 years ago

  • Status changed from Need Feedback to Fixed
  • Resolution set to wontfix

Fix your application.


Request-Line   = Method SP Request-URI SP HTTP-Version CRLF
Actions #7

Updated by stbuehler about 16 years ago

  • Status changed from Fixed to Wontfix
Actions #8

Updated by gstrauss 10 months ago

  • Description updated (diff)
  • Status changed from Wontfix to Invalid
  • ASK QUESTIONS IN Forums set to No

https://www.rfc-editor.org/rfc/rfc7230#section-3.1.1

Recipients of an invalid request-line SHOULD respond with either a
400 (Bad Request) error or a 301 (Moved Permanently) redirect with
the request-target properly encoded. A recipient SHOULD NOT attempt
to autocorrect and then process the request without a redirect, since
the invalid request-line might be deliberately crafted to bypass
security filters along the request chain.
Actions

Also available in: Atom