Web lists-archives.com

Re: why does latest jessie apache2 reject _ in http request path?




Juha Heinanen writes:

> Thanks for your answer.  The request below works over TLS in apache2
> 2.4.10-10+deb8u7, but fails in 2.4.10-10+deb8u8 unless I turn on
> 
> #HttpProtocolOptions unsafe
> 
> There is crlf after each line and there are no tabs.
> 
> I can't figure out what is wrong with it.

Now when I compare HTTP version of the client to HTTPS version, I see
difference.  The client is written in PHP and if HTTP is used, the
request is set like this:

        $headers =
	"POST $location HTTP/1.1\r\n" .
	"Host: $site\r\n" .
	"Connection: close\r\n" .
	"Content-Type: text/xml\r\n" .
	"Content-Length: " . strlen($data) . "\r\n\r\n";

But if HTTPS is used, the request is set like this:

	curl_setopt($curl, CURLOPT_HTTPHEADER,
	  array('Content-Type: text/xml',
	    'POST $location HTTP/1.1',
 	    'Host: $site',
 	    'Connection: close',
	    'Content-Type: text/xml',
	    'Content-Length: ' . strlen($data)));

Perhaps curl_setops() does not properly add crlf after each header line?
I'll investigate.

-- Juha