Bug 59032

Summary: mod_proxy_http replaces non compliant status-line
Product: Apache httpd-2 Reporter: Alexandre Schaff <alexandre.schaff>
Component: mod_proxy_httpAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: 2.4.17   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Alexandre Schaff 2016-02-19 11:06:36 UTC
Hello,

I am using httpd as reverse_proxy with mod_proxy_http :

I stumbled upon a backend server answering http response with bogus HTTP 1.1 status-line : 'HTTP/1.1"

RFC says (https://tools.ietf.org/html/rfc7230#section-3.1.2) :
     status-line = HTTP-version SP status-code SP reason-phrase CRLF

From code review : when a response with status line that does not match HTTP/1.x RFC is received, mod_proxy_http assumes the backend is HTTP 0.9.

Result is that mod_proxy sends back the status line ( without ending CRLF) and rest of the original response from the backend ( including headers ) inside the body of a valid response with status line 200.

From dumpio output :
mod_dumpio.c(103): [remote 127.0.0.1:9991] mod_dumpio:  dumpio_in (data-HEAP): HTTP/1.1\r\n
(...)
mod_dumpio.c(103): [remote 127.0.0.1:9991] mod_dumpio:  dumpio_in (data-HEAP): HTTP/1.1
(...)
mod_dumpio.c(103): [client 127.0.0.1:12476] mod_dumpio:  dumpio_out (data-HEAP): HTTP/1.1 200 OK\r\nDate:(...)

I know Apache is proud to be RFC compliant since the start.

My queston is : do such response from backends shall still be considered HTTP 0.9 responses ? or faulty (500 status maybe ) ? or something else ?

Can it be considered a bug ? Is their space for enhancement ?

Compliancy with HTTP 0.9 is no more mandatory : https://tools.ietf.org/html/rfc7230#appendix-A.2
" The expectation to support HTTP/0.9 requests has been removed.
   (Appendix A)"

br,
Alex.
Comment 1 Michael Osipov 2019-08-02 09:32:01 UTC
I believe that Apache sholuld return BAD_GATEWAY in this case...