develooper Front page | perl.libwww | Postings from April 2003

HTTP::Daemon message header restriction causes failure with Norto n Internet Security

From:
Bridget Almas
Date:
April 21, 2003 11:57
Subject:
HTTP::Daemon message header restriction causes failure with Norto n Internet Security
Message ID:
555F2B7B278B5348A28F665E6B0E43A40183D2E5@exchange-slc.ut.ovid.com
The get_request() method of HTTP::Daemon (version 1.26) does not comply with
the HTTP 1.1 spec regarding the field-name component of message headers.
This is causing HTTP::Daemon to fail in environments running the Norton
Internet Security firewall product.

 

Per the HTTP 1.1 spec (at ftp://ftp.isi.edu/in-notes/rfc2616.txt
<ftp://ftp.isi.edu/in-notes/rfc2616.txt> ): 

 

  message-header = field-name ":" [ field-value ]

  field-name     = token

 

The HTTP 1.1 spec further defines "token" to be:

 

  token          = 1*<any CHAR except CTLs or separators>

  separators     = "(" | ")" | "<" | ">" | "@"

                 | "," | ";" | ":" | "\" | <">

                 | "/" | "[" | "]" | "?" | "="

                 | "{" | "}" | SP | HT

 

  CTL            = <any US-ASCII control character

                 (octets 0 - 31) and DEL (127)>

  SP             = <US-ASCII SP, space (32)>

  HT             = <US-ASCII HT, horizontal-tab (9)>

 

However, HTTP::Daemon::get_request() restricts field-names to those that
match the following regex:

 

  /^([\w\-]+)\s*:\s*(.*)/

 

This causes HTTP::Daemon to improperly truncate posts from environments
running the Norton Internet Security Firewall, which adds a header that
looks something like:  ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~

When HTTP::Daemon::get_request() encounters this header, it assumes that it
should quit processing headers and begin processing the message body.  This
causes the remaining headers to be ignored.

 

The following regex fixes the problem and is in compliance with the HTTP 1.1
spec:

  m/^([^\x00-\x1f\x7f()<>@,;:\\"\/[\]?={}\x20\x09]+)\s*:\s*(.*)/

 

Note that the inclusion of \s* before the : is actually in violation of the
HTTP 1.1 spec, so to be in strict compliance it probably should be removed. 

 

Bridget Almas

Ovid Technologies Inc.

 



This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to which they are addressed.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. If you are not the intended recipient you are
notified that disclosing, copying, forwarding or otherwise distributing or
taking any action in reliance on the contents of this information is
strictly prohibited. 





nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About