| commit | 61f85d14ee4444755e0771495b97af11162448dd | |
| author | Glenn Strauss <gstrauss@gluelogic.com> | |
| Sat, 28 Sep 2019 23:21:56 +0000 (28 19:21 -0400) | ||
| committer | Glenn Strauss <gstrauss@gluelogic.com> | |
| Sun, 26 Jan 2020 05:40:20 +0000 (26 00:40 -0500) | ||
| tree | 7357d06ec949c7aae2e4bc87d681cedbf0d25bd5 | treesnapshot (tar.gz zip) |
| parent | 851728c6a13ed38a2c333daf62f8d6e649e11004 | commitdiff |
[core] reject WS following header field-name (fixes #2985)
reject whitespace following request header field-name and before colon
Such whitespace is forbidden in RFC 7230 Section 3.2.4.
strict header parsing is enabled by default in lighttpd. However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept (and re-format) such field-names before passing to any backend.
UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
This is NOT RECOMMENDED since doing so disables other protections
provided by lighttpd strict http header parsing.
(thx fedormixalich)
x-ref:
stricter request header parsing
https://redmine.lighttpd.net/issues/2985
reject whitespace following request header field-name and before colon
Such whitespace is forbidden in RFC 7230 Section 3.2.4.
strict header parsing is enabled by default in lighttpd. However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept (and re-format) such field-names before passing to any backend.
UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
This is NOT RECOMMENDED since doing so disables other protections
provided by lighttpd strict http header parsing.
(thx fedormixalich)
x-ref:
stricter request header parsing
https://redmine.lighttpd.net/issues/2985
| src/request.c | diffblobblamehistory | |
| src/t/test_request.c | diffblobblamehistory | |
| tests/request.t | diffblobblamehistory |