Web lists-archives.com

Re: why does latest jessie apache2 reject _ in http request path?




tomas@xxxxxxxxxx writes:

> Note the underscored parts. You are talking about (path) segments.
> Underscore is fine there. Problem is host and domain names, and 3986 is
> pretty deliberately handwavy there (3.2.2 host). Apart from IP addresses
> it refers to good ol' DNS (1123, 952. Ah, Those folks knew how to write
> RFCs ;-), which *doesn't* include underscore (but dash). But then it
> goes on to say that you can locally do what you want with the host part
> anyway, and that it hasn't to be tied to the DNS (even percent-encode
> it, yikes).

Thanks for your answer.  The request below works over TLS in apache2
2.4.10-10+deb8u7, but fails in 2.4.10-10+deb8u8 unless I turn on

#HttpProtocolOptions unsafe

There is crlf after each line and there are no tabs.

I can't figure out what is wrong with it.

-- Juha

########
T 2017/03/08 11:28:05.427711 127.0.0.1:49612 -> 127.0.0.1:80 [AP]
POST /manager/xml-rpc-server.php HTTP/1.1.
Host: 127.0.0.1.
Connection: close.
Content-Type: text/xml.
Content-Length: 841.