Bug 44477 - Apache accepts lowercase input
Summary: Apache accepts lowercase input
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.2.8
Hardware: PC other
: P2 minor (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: RFC
Depends on:
Reported: 2008-02-24 04:11 UTC by David Lindsay
Modified: 2008-02-24 13:48 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description David Lindsay 2008-02-24 04:11:42 UTC
[Note that the case (ie UPPER- or lowercase) of text in "double quotes" should
be paid attention to in this ticket.]

Apache's directory redirection engine accepts lowercase input.

To reproduce behavior (confirmed by one other person):

#1. Create the folder "/foo" (or whatever, the directory name doesn't matter) on
any server.
#2. Telnet or use "nc" to connect to your server. Be sure to specify port 80.
#3. Send "get /foo" and Apache will return the standard 301 "this is located at
/foo/" (note the trailing slash).
#4. Now send "get /foo/" and notice how Apache sends a 501 - "Not Implemented."
#5. Finally, send "GET /foo/" and you will recieve the correct response.

To expound/recap/emphasize, the bug appears in #3, where Apache returns 301 -
"Moved Permanently" after a lowercase command was sent, instead of returning
501, which it should to be standards conformant.

Note that Apache will send a 501 if you send "get /thisdirdoesntexist", where
'thisdirdoesntexist' is a directory on the server that, well, doesn't exist.
This has only been tested on my system, and not tested elsewhere.

Comment 1 Joshua Slive 2008-02-24 13:48:14 UTC
What standard exactly is being violated here?

Some of your assumptions are wrong. When apache sees "get /foo" it treats it
exactly like "BAR /foo". In other words, it treats it as an unknown method
acting on an improperly-canonicalized directory. It is not doing a
case-insensitive match on GET.

So what is happening is that apache ignores the method entirely when it receives
a request for an improperly-canonicalized directory and simply sends the
redirect. In the case of "BAR /foo", apache doesn't even try to determine
whether the resource /foo will actually deal with the method BAR. Trying to
check this would add considerable complexity for very little gain.

And by the way, "get /foo" and even "GET /foo/" are not correct requests in any
recent version of http. If you are testing protocol compliance, you should start
with a reasonable request.