Log Message: |
Since Apache 2.4.25, header injection fails with
protocol.c(957): (22)Invalid argument: [client 127.0.0.1:53182] Failed to read request header line X-Extra-Header2: Value 2
protocol.c(1313): [client 127.0.0.1:53182] AH00567: request failed: error reading the headers
making the server issue a 400 Bad request response and causing test
failures.
The problem is that the injected header lines only have a LF and no CR.
RFC 7230, section 3.5 says:
Although the line terminator for the start-line and header fields is
the sequence CRLF, a recipient MAY recognize a single LF as a line
terminator and ignore any preceding CR.
Apache with strict enabled chooses not to implement the MAY. This may or
may not be a good idea, but that is a different question. In any case,
mod_perl's test should send a compliant HTTP request.
Bug-Debian: https://bugs.debian.org/849082
[Patch from Stefan Fritsch <sf@sfritsch.de>]
|