[Varnish] #1862: Request URL with whitespace is allowed
Varnish
varnish-bugs at varnish-cache.org
Mon Feb 29 10:15:44 CET 2016
#1862: Request URL with whitespace is allowed
----------------------+---------------------
Reporter: espebra | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: unknown
Severity: normal | Keywords:
----------------------+---------------------
Client requests to {{{/foo bar}}} are accepted by varnishd and are handled
as/translated to {{{/foo}}} - which most likely will end up with the wrong
content being served. Requests to {{{/foo bar}}} are not properly encoded,
and thereby invalid according to the RFC.
RFC 7230 section 3.1.1 (https://tools.ietf.org/html/rfc7230#section-3.1.1)
says:
Recipients of an invalid request-line SHOULD respond with either a
400 (Bad Request) error or a 301 (Moved Permanently) redirect with
the request-target properly encoded. A recipient SHOULD NOT attempt
to autocorrect and then process the request without a redirect, since
the invalid request-line might be deliberately crafted to bypass
security filters along the request chain.
I have attached a simple test case which passes with the current "non-RFC
compliant" behaviour.
--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1862>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list