Re: why does latest jessie apache2 reject _ in http request path?
- Date: Wed, 8 Mar 2017 11:43:11 +0200
- From: Juha Heinanen <jh@xxxxxxxxxx>
- Subject: Re: why does latest jessie apache2 reject _ in http request path?
Juha Heinanen writes:
> Thanks for your answer. The request below works over TLS in apache2
> 2.4.10-10+deb8u7, but fails in 2.4.10-10+deb8u8 unless I turn on
> #HttpProtocolOptions unsafe
> There is crlf after each line and there are no tabs.
> I can't figure out what is wrong with it.
Now when I compare HTTP version of the client to HTTPS version, I see
difference. The client is written in PHP and if HTTP is used, the
request is set like this:
"POST $location HTTP/1.1\r\n" .
"Host: $site\r\n" .
"Connection: close\r\n" .
"Content-Type: text/xml\r\n" .
"Content-Length: " . strlen($data) . "\r\n\r\n";
But if HTTPS is used, the request is set like this:
'POST $location HTTP/1.1',
'Content-Length: ' . strlen($data)));
Perhaps curl_setops() does not properly add crlf after each header line?