Bug 62440

Summary: When exporting request headers to HTTP_* environment variables, drop TO DRASTICLY variables
Product: Apache httpd-2 Reporter: Mathieu CARBONNEAUX <info-apache>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: regression    
Priority: P2    
Version: 2.4.33   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Mathieu CARBONNEAUX 2018-06-08 16:40:57 UTC
apache implement http header to HTTP_* variable, of CGI RFC:
https://tools.ietf.org/html/rfc3875#section-4.1.18 

in apache 2.3.11 you have changed drasticly the generation of http header in HTTP_ variable.
https://github.com/apache/httpd/commit/c291b461180994410593a8fc7541c4ef12e3b634 

i think are to drastic in regard to http standard.
https://stackoverflow.com/questions/47687379/what-characters-are-allowed-in-http-header-values?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

i have many header sended to application in php with mod_php sapi, that search in HTTP_* variables this information.
the http header name are name like that AA_BBBBBBBBB, and with this code they are silently drop... because they use "_" in place of the only separator accepted in the code "-"...

in the documentation they explain a solution to circonvent this but only on field content not in field name...
http://httpd.apache.org/docs/current/en/env.html#examples 

in http RFC 7230 they clarify what char can be used :
https://tools.ietf.org/html/rfc7230#section-3.2.6 
https://tools.ietf.org/html/rfc7230#section-3.2 

     field-name     = token

     token          = 1*tchar

     tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                    / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                    / DIGIT / ALPHA
                    ; any VCHAR, except delimiters

the char "_" are autorized in field name, wy drop this char and transforme "-" in "_" ?
wy not simply leave it as is ?
why not change all charactere autorized with "_" in place of remove completely the variable ?

in cgi RFC they say :
   The server MUST, if necessary, change the representation of the data (for example, the
   character set) to be appropriate for a CGI meta-variable.

or make possible to overide this when necessery ?!


in server/util_script.c :

     while ((c = *w++) != 0) {
-        if (!apr_isalnum(c)) {
+        if (apr_isalnum(c)) {
+            *cp++ = apr_toupper(c);
+        }
+        else if (c == '-') {
             *cp++ = '_';
         }
         else {
-            *cp++ = apr_toupper(c);
+            return NULL;
         }
     }



why not extend 

 else if (c == '-') {

to other character like that :

 if (strchr("!#$%&'*+-.^`|~",c) != NULL) { 

and add 

 else if (c == '_') {
    *cp++ = c;
 }