why does latest jessie apache2 reject _ in http request path?
- Date: Wed, 8 Mar 2017 09:07:53 +0200
- From: Juha Heinanen <jh@xxxxxxxxxx>
- Subject: why does latest jessie apache2 reject _ in http request path?
My web app stopped working in apache2 2.4.10-10+deb8u8 and looks like
the reason is this:
* CVE-2016-8743: Enforce more HTTP conformance for request lines and
request headers, to prevent response splitting and cache pollution
by malicious clients or downstream proxies.
If this causes problems with non-conforming clients, some checks can
be relaxed by adding the new directive 'HttpProtocolOptions unsafe'
to the configuration.
Differently than the upstream 2.4.25 release which will also be in the
Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts
underscores in host and domain names even while 'HttpProtocolOptions
strict' is in effect.
More information is available at
I checked at the referenced RFCs and underscore IS a valid character in
a segment (rfc3986):
absolute-path = 1*( "/" segment )
segment = *pchar
pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
Why is it that if I have _ in my segment, apache2 rejects the request
without 'HttpProtocolOptions strict'?