Re: [squid-users] Can a space after HTTP/1.1 be allowed? from Amos Jeffries on 2012-11-07 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 08 Nov 2012 17:41:13 +1300

On 8/11/2012 1:53 a.m., Ralf Hildebrandt wrote:
> A broken application sends this request to our Squid-3.1.21:
>
> "CONNECT gateway.push.apple.com:2195 HTTP/1.1"
> (note the trailing space!)
>
> which results in "HTTP/1.0 400 Bad Request"
>
> And indeed:
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1
> together with
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.1
> clearly define that there must be a CRLF after the HTTP Version, no
> spaces are allowed.

Exactly. The reasons are not well documented in RFC 2616, but see:
http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-21#section-3.1.1

    Unfortunately, some user agents fail to properly encode hypertext
    references that have embedded whitespace, sending the characters
    directly instead of properly percent-encoding the disallowed
    characters. Recipients of an invalid request-line SHOULD respond
    with either a 400 (Bad Request) error or a 301 (Moved Permanently)
    redirect with the request-target properly encoded. Recipients SHOULD
    NOT attempt to autocorrect and then process the request without a
    redirect, since the invalid request-line might be deliberately
    crafted to bypass security filters along the request chain.
"

Squid is following the first option. There are two types of broken lients.

The mandatory response is a "400 Bad Request" as you see.

Essentially there are two types of broken clients. Squid is tolerant for
the more common form of breakage (whitespace in URL field) but that
prohibits us tolerating the rarer cases of whitespace in the method and
version fields.

>
> Still, it's easier to have a workaround in squid than to get a big,
> three letter company to fix their software.

Do name them please. Or at least the broken agent you uncovered. The
HTTPbis WG has an interest in what software is violating HTTP and has a
little extra pressure to add towards its fix. Most of the big-name
companies of today have been involved in writing that text about
request-line anyway and can be expected to follow the agreed standard.

> Is there a way for me to relax that particular check?
>

No. Sorry. see above.

I am trying to get some better smarts into Squid on non-GET methods like
this. But it has turned out to be trickier than one would think.

Amos
Received on Thu Nov 08 2012 - 04:41:26 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 08 2012 - 12:00:03 MST