Bug 60863

Summary: Apache proxy cannot ignore response header validation
Product: Apache httpd-2 Reporter: Christian Pélissier <peli>
Component: mod_proxyAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement CC: bjoernv, thomas.jarosch
Priority: P2    
Version: 2.4.25   
Target Milestone: ---   
Hardware: All   
OS: Linux   

Description Christian Pélissier 2017-03-14 10:36:59 UTC 
Using Apache proxy.

Since Apache Proxy 2.4.25 control Headers some sites became unreachable due to incorrect Cookie syntax.

I have to return to previous 2.4.20

The error is related to \x01 invalid character :

AH02430: Response header 'Set-Cookie' value of '___utmvaXEuDsBI=UxE\x01hXDj; path=/; Max-Age=900' contains invalid characters, aborting request

The following url (most of them operated by incapdns.net return this error)

http://www.cision.com
23gwg.x.incapdns.net.
107.154.115.114

http://academie-air-espace.com
185.11.125.199
149.126.77.65

http://www.defense.gouv.fr
yookd.x.incapdns.net.
107.154.115.47

http://www.bizjournals.com
ddc7y.x.incapdns.net.
107.154.115.27

http://correlatedsolutions.com
107.154.105.8
107.154.106.8

The Directive
ProxyBadHeader          Ignore

do not solve theses issues.
Comment 1 Luca Toscano 2017-03-14 11:39:28 UTC 
Hi Christian,

this is probably due to https://httpd.apache.org/docs/current/mod/core.html#httpprotocoloptions, can you try to set "HttpProtocolOptions Unsafe" ?
Comment 2 Luca Toscano 2017-03-14 11:42:30 UTC 
The documentation talks about "Request" but I quickly checked the code (not authoritative answer to don't quote me on this) and the new checks seems to be enforced for the response too.

Where does the header come from (curiosity)?
Comment 3 Luca Toscano 2017-03-20 08:37:00 UTC 
Hi Christian, any update?
Comment 4 Thomas Jarosch 2017-03-30 15:13:50 UTC 
after upgrading to httpd 2.4.25, I get the same "500 Internal server error".

The website pollin.de produces this error log:

Response header 'Set-Cookie' value of '___utmvaXIucook=DjJx01cqlU; path=/; Max-Age=900' contains invalid characters


-> I'll try the suggested "HttpProtocolOptions unsafe" workaround at the beginning of next week.
Comment 5 Bjoern Voigt 2018-03-21 11:56:47 UTC 
"HttpProtocolOptions unsafe" did not help in my case.

Tested site: http://www.egyptindependent.com/
Apache version: 2.4.49
Environment: openSUSE Tumbleweed 20180318 x86_64

The error message is

[Wed Mar 21 12:56:12.843109 2018] [http:error] [pid 16291] [client 127.0.0.1:54552] AH02430: Response header 'Set-Cookie' value of '___utmvazVukktoB=Qhz\x01CTqM; path=/; Max-Age=900' contains invalid characters, aborting request
Comment 6 Eric Covener 2018-03-21 12:11:32 UTC 
I renamed and reclassified, Some way to strip/replace would be nice, I am unsure if we want to provide an option to pass them through.   Invalid is invalid.
Comment 7 Christian Pélissier 2018-03-21 15:05:53 UTC 
Here are the solution for 2.4.25 and later

# Sites with SOH inside the cookie (incapsula.com)
# www.cision.com, www.bizjournals.com, correlatedsolutions.com
# academie-air-espace.com, www.defense.gouv.fr
# Suppresion du caractere SOH \001 ou \x01 invalide dans un cookie
Header edit Set-Cookie ___utmv(.*)=(.*)\001([^;]*;)(.*) ___utmv$1=$2$3;$4

# Sites avec headers syntaxiquement incorrects comme :
# http://technopress.kaist.ac.kr/
Header unset 'Pragma :'
Header unset 'P3P :'
# http://www.anrt.asso.fr/
Header unset 'Expires :'