osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62440] New: When exporting request headers to HTTP_* environment variables, drop TO DRASTICLY variables


https://bz.apache.org/bugzilla/show_bug.cgi?id=62440

            Bug ID: 62440
           Summary: When exporting request headers to HTTP_* environment
                    variables, drop TO DRASTICLY variables
           Product: Apache httpd-2
           Version: 2.4.33
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Core
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: info-apache@xxxxxxxxx
  Target Milestone: ---

apache implement http header to HTTP_* variable, of CGI RFC:
https://tools.ietf.org/html/rfc3875#section-4.1.18 

in apache 2.3.11 you have changed drasticly the generation of http header in
HTTP_ variable.
https://github.com/apache/httpd/commit/c291b461180994410593a8fc7541c4ef12e3b634 

i think are to drastic in regard to http standard.
https://stackoverflow.com/questions/47687379/what-characters-are-allowed-in-http-header-values?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

i have many header sended to application in php with mod_php sapi, that search
in HTTP_* variables this information.
the http header name are name like that AA_BBBBBBBBB, and with this code they
are silently drop... because they use "_" in place of the only separator
accepted in the code "-"...

in the documentation they explain a solution to circonvent this but only on
field content not in field name...
http://httpd.apache.org/docs/current/en/env.html#examples 

in http RFC 7230 they clarify what char can be used :
https://tools.ietf.org/html/rfc7230#section-3.2.6 
https://tools.ietf.org/html/rfc7230#section-3.2 

     field-name     = token

     token          = 1*tchar

     tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                    / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                    / DIGIT / ALPHA
                    ; any VCHAR, except delimiters

the char "_" are autorized in field name, wy drop this char and transforme "-"
in "_" ?
wy not simply leave it as is ?
why not change all charactere autorized with "_" in place of remove completely
the variable ?

in cgi RFC they say :
   The server MUST, if necessary, change the representation of the data (for
example, the
   character set) to be appropriate for a CGI meta-variable.

or make possible to overide this when necessery ?!


in server/util_script.c :

     while ((c = *w++) != 0) {
-        if (!apr_isalnum(c)) {
+        if (apr_isalnum(c)) {
+            *cp++ = apr_toupper(c);
+        }
+        else if (c == '-') {
             *cp++ = '_';
         }
         else {
-            *cp++ = apr_toupper(c);
+            return NULL;
         }
     }



why not extend 

 else if (c == '-') {

to other character like that :

 if (strchr("!#$%&'*+-.^`|~",c) != NULL) { 

and add 

 else if (c == '_') {
    *cp++ = c;
 }

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx