Summary: | Apache proxy cannot ignore response header validation | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Christian Pélissier <peli> |
Component: | mod_proxy | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | enhancement | CC: | bjoernv, thomas.jarosch |
Priority: | P2 | ||
Version: | 2.4.25 | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | Linux |
Description
Christian Pélissier
2017-03-14 10:36:59 UTC
Hi Christian, this is probably due to https://httpd.apache.org/docs/current/mod/core.html#httpprotocoloptions, can you try to set "HttpProtocolOptions Unsafe" ? The documentation talks about "Request" but I quickly checked the code (not authoritative answer to don't quote me on this) and the new checks seems to be enforced for the response too. Where does the header come from (curiosity)? Hi Christian, any update? after upgrading to httpd 2.4.25, I get the same "500 Internal server error". The website pollin.de produces this error log: Response header 'Set-Cookie' value of '___utmvaXIucook=DjJx01cqlU; path=/; Max-Age=900' contains invalid characters -> I'll try the suggested "HttpProtocolOptions unsafe" workaround at the beginning of next week. "HttpProtocolOptions unsafe" did not help in my case. Tested site: http://www.egyptindependent.com/ Apache version: 2.4.49 Environment: openSUSE Tumbleweed 20180318 x86_64 The error message is [Wed Mar 21 12:56:12.843109 2018] [http:error] [pid 16291] [client 127.0.0.1:54552] AH02430: Response header 'Set-Cookie' value of '___utmvazVukktoB=Qhz\x01CTqM; path=/; Max-Age=900' contains invalid characters, aborting request I renamed and reclassified, Some way to strip/replace would be nice, I am unsure if we want to provide an option to pass them through. Invalid is invalid. Here are the solution for 2.4.25 and later # Sites with SOH inside the cookie (incapsula.com) # www.cision.com, www.bizjournals.com, correlatedsolutions.com # academie-air-espace.com, www.defense.gouv.fr # Suppresion du caractere SOH \001 ou \x01 invalide dans un cookie Header edit Set-Cookie ___utmv(.*)=(.*)\001([^;]*;)(.*) ___utmv$1=$2$3;$4 # Sites avec headers syntaxiquement incorrects comme : # http://technopress.kaist.ac.kr/ Header unset 'Pragma :' Header unset 'P3P :' # http://www.anrt.asso.fr/ Header unset 'Expires :' |