Bug #2378
closedUnicode in cookies throws 400 for all requests
Description
I have found the problem with Google Adwords which creates cookies with unicode what consequently throws 400 for all requests for current user. Current user needs to clear his cookies to start using the site again. I think it's a huge problem with Lighttpd. I checked the same behavior with Apache and it works perfectly without error 400. So I decided to create a patch for version 1.4.30 which just ignores chars from 1 till 31.
I've found similar problems here:
http://redmine.lighttpd.net/issues/1723
http://redmine.lighttpd.net/issues/2188
Files
Updated by stbuehler almost 13 years ago
- Status changed from Patch Pending to Invalid
- Target version deleted (
1.4.31)
No byte in a UTF-8 string is in the range 1 to 31, if it doesn't contain characters in the range 1 to 31. or, in other words, each ascii byte you see is exactly what you see. the bytes in the "not-ascii" part of an utf-8 string always have the highest bit set.
Of the ctl characters only tab (and space) are allowed, unless quoted and escaped, according to rfc2616 (LWS doesn't count as content).
as the quote rules are broken, i don't see a reason to allow them. (the rules don't enforce handling \ as escape, which allows different interpretations).
Updated by sergey.b almost 13 years ago
- Status changed from Invalid to Reopened
I can't agree with you. I analyzed the request headers from heavily loaded production and noticed that there are lots of requests with cookies which contain control symbols like 13, 19, 5:
__utma=73945862.738618813.1325098444.1325098444.1325098444.1; __utmz=73945862.1325098444.1.1.utmcsr=begun|utmccn=Begun:%205@<0=8O|utmcmd=cpc|utmctr=0@5=40%2002B>%202>%20D@0=:DC@B5|
I think it's just not right to throw error code 400 and reject consequent client requests.
Updated by stbuehler almost 13 years ago
- Status changed from Reopened to Invalid
I think it is right to reject such requests. and i have the rfc on my side.
Updated by gstrauss over 8 years ago
- Status changed from Invalid to Fixed
- Target version set to 1.4.40
- Missing in 1.5.x deleted (
No)
In lighttpd 1.4.40, you can now set server.http-parseopt-header-strict = "disable"
With the default (strict header parsing enabled), lighttpd 1.4.x will return 400 Bad Request for such a request.
Also available in: Atom