Disallow '@' in HTTP/1 header field-names per RFC 9110#12881
Closed
dweepvira wants to merge 1 commit intoapache:masterfrom
Closed
Disallow '@' in HTTP/1 header field-names per RFC 9110#12881dweepvira wants to merge 1 commit intoapache:masterfrom
dweepvira wants to merge 1 commit intoapache:masterfrom
Conversation
RFC 9110 specifies that HTTP header field-names must consist only of tchar. The current implementation explicitly allows '@' in header names due to a special-case condition in ParseRules::is_http_field_name() during parse table generation. This patch removes the exception for '@', ensuring header name validation aligns with RFC 9110. Invalid header names now correctly result in HTTP 400 responses.
Contributor
|
Thank you for the contribution, but ATS uses @ headers for internal communication and we cannot have the parser being incapable of parsing them. We closed an almost identical PR recently: #12838 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Disallow
@in HTTP/1 header field-names per RFC 9110Summary
Disallow the
@character in HTTP/1 header field-names to ensure compliance with RFC 9110.Background
RFC 9110 defines:
Where
tokenconsists only oftcharcharacters:The
@character is not included in thetcharset and therefore is not valid in HTTP header field-names.The current implementation of
ParseRules::is_http_field_name()explicitly allows@as an exception:(is_mime_sep(c) && c != '@')This results in HTTP/1 requests such as:
being accepted instead of rejected.
Change
Remove the special-case allowance for
@inParseRules::is_http_field_name().Before:
(is_mime_sep(c) && c != '@')After:
is_mime_sep(c)This ensures that
@is rejected as part of HTTP/1 header field-names.Result
Requests containing header names with
@now correctly return:instead of being processed normally.
Scope
Impact
Improves HTTP/1 standards compliance by rejecting syntactically invalid header field-names.