Bug #1098
closedTrailing spaces in urls are not tolerated
Description
We are using lighttpd in a surveilance camera application. Some of the systems we need to interface to send a trailing space on most lines of the http requests they make. The following code appears in a couple of places:
r = strtoll(ds->value->ptr, &err, 10);
if (*err != '\0') {
This test relies on their being no characters after the last digit before the end of the input string. The following tests for valid digits being found:
if (err != ds->value->ptr) {
May I request that the parser be tolerant to sequences of multiple spaces interspersed at any point where a space is legal and at the end of lines.
-- gcleary
Files
Updated by jan over 17 years ago
- Status changed from New to Fixed
- Resolution set to fixed
fixed in r1727
Updated by Anonymous over 17 years ago
- Status changed from Fixed to Need Feedback
- Resolution deleted (
fixed)
Thanks for the fix for trailing spaces in 1.4, however the system lighttpd is serving to, makes the following request which fails with error "overlong request line -> 400" due to the multiple embedded spaces. The parser needs to eat multiple spaces wherever a space is legal.
The failing request header is:
00000000 50 4f 53 54 20 2f 6d 70 65 67 34 2f 31 2f 6d 65 POST /mp eg4/1/me
00000010 64 69 61 2e 61 6d 70 20 48 54 54 50 2f 31 2e 30 dia.amp HTTP/1.0
00000020 20 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a ..Conte nt-Type:
00000030 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 72 applica tion/x-r
00000040 74 73 70 2d 74 75 6e 6e 65 6c 6c 65 64 20 0d 0a tsp-tunn elled ..
00000050 78 2d 73 65 73 73 69 6f 6e 63 6f 6f 6b 69 65 3a x-sessio ncookie:
00000060 20 20 39 34 34 33 35 33 32 30 30 20 0d 0a 43 6f 944353 200 ..Co
00000070 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 20 33 ntent-Le ngth: 3
00000080 32 37 36 37 20 0d 0a 43 6f 6e 6e 65 63 74 69 6f 2767 ..C onnectio
00000090 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 20 0d 0a n: Keep- Alive ..
000000A0 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 Pragma: no-cache
000000B0 20 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c ..Cache -Control
000000C0 3a 20 6e 6f 2d 63 61 63 68 65 20 0d 0a 45 78 70 : no-cac he ..Exp
000000D0 69 72 65 73 3a 20 53 75 6e 2c 20 39 20 4a 61 6e ires: Su n, 9 Jan
000000E0 20 31 39 37 32 20 30 30 3a 30 30 3a 30 30 20 47 1972 00 :00:00 G
000000F0 4d 54 20 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 MT ..Aut horizati
00000100 6f 6e 3a 20 42 61 73 69 63 20 20 63 6d 39 76 64 on: Basi c cm9vd
00000110 44 70 68 65 47 6c 7a 63 33 56 6a 61 33 4d 3d 20 DpheGlzc 3Vja3M=
-- gcleary
Updated by Anonymous over 17 years ago
Better formatting....
00000000 50 4f 53 54 20 2f 6d 70 65 67 34 2f 31 2f 6d 65 POST /mp eg4/1/me 00000010 64 69 61 2e 61 6d 70 20 48 54 54 50 2f 31 2e 30 dia.amp HTTP/1.0 00000020 20 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a ..Conte nt-Type: 00000030 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 72 applica tion/x-r 00000040 74 73 70 2d 74 75 6e 6e 65 6c 6c 65 64 20 0d 0a tsp-tunn elled .. 00000050 78 2d 73 65 73 73 69 6f 6e 63 6f 6f 6b 69 65 3a x-sessio ncookie: 00000060 20 20 39 34 34 33 35 33 32 30 30 20 0d 0a 43 6f 944353 200 ..Co 00000070 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 20 33 ntent-Le ngth: 3 00000080 32 37 36 37 20 0d 0a 43 6f 6e 6e 65 63 74 69 6f 2767 ..C onnectio 00000090 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 20 0d 0a n: Keep- Alive .. 000000A0 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 Pragma: no-cache 000000B0 20 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c ..Cache -Control 000000C0 3a 20 6e 6f 2d 63 61 63 68 65 20 0d 0a 45 78 70 : no-cac he ..Exp 000000D0 69 72 65 73 3a 20 53 75 6e 2c 20 39 20 4a 61 6e ires: Su n, 9 Jan 000000E0 20 31 39 37 32 20 30 30 3a 30 30 3a 30 30 20 47 1972 00 :00:00 G 000000F0 4d 54 20 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 MT ..Aut horizati 00000100 6f 6e 3a 20 42 61 73 69 63 20 20 63 6d 39 76 64 on: Basi c cm9vd 00000110 44 70 68 65 47 6c 7a 63 33 56 6a 61 33 4d 3d 20 DpheGlzc 3Vja3M=
Updated by Anonymous over 17 years ago
50 4f 53 54 20 2f 6d 70 65 67 34 2f 31 2f 6d 65
Updated by Anonymous over 17 years ago
00000000 50 4f 53 54 20 2f 6d 70 65 67 34 2f 31 2f 6d 65 POST /mp eg4/1/me 00000010 64 69 61 2e 61 6d 70 20 48 54 54 50 2f 31 2e 30 dia.amp HTTP/1.0 00000020 20 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a ..Conte nt-Type: 00000030 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 72 applica tion/x-r 00000040 74 73 70 2d 74 75 6e 6e 65 6c 6c 65 64 20 0d 0a tsp-tunn elled .. 00000050 78 2d 73 65 73 73 69 6f 6e 63 6f 6f 6b 69 65 3a x-sessio ncookie: 00000060 20 20 39 34 34 33 35 33 32 30 30 20 0d 0a 43 6f 944353 200 ..Co 00000070 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 20 33 ntent-Le ngth: 3 00000080 32 37 36 37 20 0d 0a 43 6f 6e 6e 65 63 74 69 6f 2767 ..C onnectio 00000090 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 20 0d 0a n: Keep- Alive .. 000000A0 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65 Pragma: no-cache 000000B0 20 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c ..Cache -Control 000000C0 3a 20 6e 6f 2d 63 61 63 68 65 20 0d 0a 45 78 70 : no-cac he ..Exp 000000D0 69 72 65 73 3a 20 53 75 6e 2c 20 39 20 4a 61 6e ires: Su n, 9 Jan 000000E0 20 31 39 37 32 20 30 30 3a 30 30 3a 30 30 20 47 1972 00 :00:00 G 000000F0 4d 54 20 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 MT ..Aut horizati 00000100 6f 6e 3a 20 42 61 73 69 63 20 20 63 6d 39 76 64 on: Basi c cm9vd 00000110 44 70 68 65 47 6c 7a 63 33 56 6a 61 33 4d 3d 20 DpheGlzc? 3Vja3M=
Updated by stbuehler about 16 years ago
- Status changed from Need Feedback to Fixed
- Resolution set to wontfix
Fix your application.
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
Updated by gstrauss 10 months ago
- Description updated (diff)
- Status changed from Wontfix to Invalid
- ASK QUESTIONS IN Forums set to No
https://www.rfc-editor.org/rfc/rfc7230#section-3.1.1
Recipients of an invalid request-line SHOULD respond with either a
400 (Bad Request) error or a 301 (Moved Permanently) redirect with
the request-target properly encoded. A recipient SHOULD NOT attempt
to autocorrect and then process the request without a redirect, since
the invalid request-line might be deliberately crafted to bypass
security filters along the request chain.
Also available in: Atom