[Varnish] #1862: Request URL with whitespace is allowed

Varnish varnish-bugs at varnish-cache.org
Mon Feb 29 10:15:44 CET 2016

#1862: Request URL with whitespace is allowed
 Reporter:  espebra   |      Owner:
     Type:  defect    |     Status:  new
 Priority:  normal    |  Milestone:
Component:  varnishd  |    Version:  unknown
 Severity:  normal    |   Keywords:
 Client requests to {{{/foo bar}}} are accepted by varnishd and are handled
 as/translated to {{{/foo}}} - which most likely will end up with the wrong
 content being served. Requests to {{{/foo bar}}} are not properly encoded,
 and thereby invalid according to the RFC.

 RFC 7230 section 3.1.1 (https://tools.ietf.org/html/rfc7230#section-3.1.1)

   Recipients of an invalid request-line SHOULD respond with either a
   400 (Bad Request) error or a 301 (Moved Permanently) redirect with
   the request-target properly encoded.  A recipient SHOULD NOT attempt
   to autocorrect and then process the request without a redirect, since
   the invalid request-line might be deliberately crafted to bypass
   security filters along the request chain.

 I have attached a simple test case which passes with the current "non-RFC
 compliant" behaviour.

Ticket URL: <https://www.varnish-cache.org/trac/ticket/1862>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

More information about the varnish-bugs mailing list