Bug 49416 - Access log bypass and missing HTTP headers
Summary: Access log bypass and missing HTTP headers
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.2.12
Hardware: PC Linux
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2010-06-09 11:22 UTC by floyd
Modified: 2010-06-09 12:43 UTC (History)
0 users

Example for null character in URL and missing response headers (2.52 KB, application/octet-stream)
2010-06-09 11:22 UTC, floyd

Note You need to log in before you can comment on or make changes to this bug.
Description floyd 2010-06-09 11:22:18 UTC
Created attachment 25569 [details]
Example for null character in URL and missing response headers

When sending the ASCII control character null (hexadecimal 00) in a URI, apache does return a HTTP entity (the HTML code), but no HTTP headers. Additionally the URI is truncated (the null and everything after it is missing).

If you have a local apache running, try this python script (you need to have a index.html or index.php in your root directory):

import urllib2
print 'Valid request:'
print urllib2.urlopen('http://localhost/?abc=123&def=456_VALID').read()
print ''
print 'Invalid request:'
print urllib2.urlopen('http://localhost/?abc=123'+chr(0)+'&def=456_INVALID').read()

The apache access.log will look like this:

::1 - - [09/Jun/2010:16:44:41 +0200] "GET /?abc=123&def=456_VALID HTTP/1.1" 200 321 "-" "Python-urllib/2.6"
::1 - - [09/Jun/2010:16:44:41 +0200] "GET /?abc=123" 200 94 "-" "-"

As you can see in the appended wireshark (libpcap), the headers for the second response are missing!

It works on remote (not localhost) apache servers as well.

Comment 1 Eric Covener 2010-06-09 12:43:02 UTC
The null in the invalid URL causes the request line to be terminated before the rest of the URL or the protocol.  The response (no headers) is "HTTP 0.9" described here: