Lighttpd

...in case you were wondering, the old bug can't be reopened because "Author can't be blank".

If you really believe the issue is still "invalid", well, ...

Do you plan to do something about this bug? #2188 can't be reopened because there is problem with the author.

Almost every site has installed google analytics code. This code sets some cookies specific for campaign tracking. This mechanism can be used to set any value for this cookie. Look at this url:

www.domain.com/?utm_source=test&utm_medium=test&utm_campaign=te%05st

when google analytics is installed on the site it will set cookie with parameters present in this url. Look at the last one. There is special character number 5 which will be saved in the cookie. Next, any requests from this visitor to this domain will end up with 400 Bad request error.

This mechanism may be used to ban the page to it's visitors. Some atacker may share this buggy link with others and the site may be blocked for many many people (!!!).

I think that you shouldn't block the request when cookie contains some control characters. It is completely legal and possible by scripts to save such character in the cookie - so you shouldn't block it.

I had to change the sources of lighttpd and compile it today because some versions of some browsers (ex. IE, Firefox) changed polish specific letter "?" into control character number 5. This character was saved in cookie and website was blocked for many many people. The same mechanism may be used by atackers.

Just assigned "Anonymouse" to #2188 and hopefully fixed the author problem.