Bug#849082: libapache2-mod-perl2: FTBFS: test failures with Apache 2.4.25
Stefan Fritsch
sf at sfritsch.de
Sat Dec 24 06:02:26 UTC 2016
On Friday, 23 December 2016 18:56:54 CET Niko Tyni wrote:
> This passage in RFC 7230, section 9.4., seems relevant:
>
> A more effective mitigation is to prevent anything other than the
> server's core protocol libraries from sending a CR or LF within the
> header section, which means restricting the output of header fields to
> APIs that filter for bad octets and not allowing application servers
> to write directly to the protocol stream.
>
> I would expect mod_perl to be classified as a 'core protocol library' in
> this sense, but I have no idea yet if it's just doing something wrong.
>
> Patch attached to revert to the old "unsafe" behaviour in the virtual
> host specific to this test.
The problem is that the injected header lines only have a LF and no CR. I
suggest the attached patch.
rfc7230 3.5 says:
Although the line terminator for the start-line and header fields is
the sequence CRLF, a recipient MAY recognize a single LF as a line
terminator and ignore any preceding CR.
Apache with strict enabled chooses not to implement the MAY. I am not 100%
sure that this is a good idea, but that is a different question. In any case,
mod_perl's test should send a compliant HTTP request.
Cheers,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: in_bbs_inject_header.diff
Type: text/x-patch
Size: 1023 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20161224/ee2204f5/attachment.bin>
More information about the pkg-perl-maintainers
mailing list