diff options
author | Stefan Fritsch <sf@apache.org> | 2012-12-30 01:23:24 +0000 |
---|---|---|
committer | Stefan Fritsch <sf@apache.org> | 2012-12-30 01:23:24 +0000 |
commit | f726113d3346126b972776296131d5b1026ce807 (patch) | |
tree | effc57d94dacd2656af76361d2f30749e076adc1 /include/http_core.h | |
parent | 304f1d01bc2e5f33c653461e4193ae1a2b0f94af (diff) | |
download | httpd-f726113d3346126b972776296131d5b1026ce807.tar.gz |
Add an option to enforce stricter HTTP conformance
This is a first stab, the checks will likely have to be revised.
For now, we check
* if the request line contains control characters
* if the request uri has fragment or username/password
* that the request method is standard or registered with RegisterHttpMethod
* that the request protocol is of the form HTTP/[1-9]+.[0-9]+,
or missing for 0.9
* if there is garbage in the request line after the protocol
* if any request header contains control characters
* if any request header has an empty name
* for the host name in the URL or Host header:
- if an IPv4 dotted decimal address: Reject octal or hex values, require
exactly four parts
- if a DNS host name: Reject non-alphanumeric characters besides '.' and
'-'. As a side effect, this rejects multiple Host headers.
* if any response header contains control characters
* if any response header has an empty name
* that the Location response header (if present) has a valid scheme and is
absolute
If we have a host name both from the URL and the Host header, we replace the
Host header with the value from the URL to enforce RFC conformance.
There is a log-only mode, but the loglevels of the logged messages need some
thought/work. Currently, the checks for incoming data log for 'core' and the
checks for outgoing data log for 'http'. Maybe we need a way to configure the
loglevels separately from the core/http loglevels.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1426877 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'include/http_core.h')
-rw-r--r-- | include/http_core.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/include/http_core.h b/include/http_core.h index 588a4646df..d6fb3ab357 100644 --- a/include/http_core.h +++ b/include/http_core.h @@ -671,6 +671,11 @@ typedef struct { #define AP_HTTP09_DISABLE 2 char http09_enable; +#define AP_HTTP_CONFORMANCE_UNSET 0 +#define AP_HTTP_CONFORMANCE_LIBERAL 1 +#define AP_HTTP_CONFORMANCE_STRICT 2 +#define AP_HTTP_CONFORMANCE_LOGONLY 4 + char http_conformance; } core_server_config; /* for AddOutputFiltersByType in core.c */ |