Bug 60863 - Apache proxy cannot ignore response header validation
Summary: Apache proxy cannot ignore response header validation
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy (show other bugs)
Version: 2.4.25
Hardware: All Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-14 10:36 UTC by Christian Pélissier
Modified: 2018-03-21 15:05 UTC (History)
2 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Pélissier 2017-03-14 10:36:59 UTC
Using Apache proxy.

Since Apache Proxy 2.4.25 control Headers some sites became unreachable due to incorrect Cookie syntax.

I have to return to previous 2.4.20

The error is related to \x01 invalid character :

AH02430: Response header 'Set-Cookie' value of '___utmvaXEuDsBI=UxE\x01hXDj; path=/; Max-Age=900' contains invalid characters, aborting request

The following url (most of them operated by incapdns.net return this error)

http://www.cision.com
23gwg.x.incapdns.net.
107.154.115.114

http://academie-air-espace.com
185.11.125.199
149.126.77.65

http://www.defense.gouv.fr
yookd.x.incapdns.net.
107.154.115.47

http://www.bizjournals.com
ddc7y.x.incapdns.net.
107.154.115.27

http://correlatedsolutions.com
107.154.105.8
107.154.106.8

The Directive
ProxyBadHeader          Ignore

do not solve theses issues.
Comment 1 Luca Toscano 2017-03-14 11:39:28 UTC
Hi Christian,

this is probably due to https://httpd.apache.org/docs/current/mod/core.html#httpprotocoloptions, can you try to set "HttpProtocolOptions Unsafe" ?
Comment 2 Luca Toscano 2017-03-14 11:42:30 UTC
The documentation talks about "Request" but I quickly checked the code (not authoritative answer to don't quote me on this) and the new checks seems to be enforced for the response too.

Where does the header come from (curiosity)?
Comment 3 Luca Toscano 2017-03-20 08:37:00 UTC
Hi Christian, any update?
Comment 4 Thomas Jarosch 2017-03-30 15:13:50 UTC
after upgrading to httpd 2.4.25, I get the same "500 Internal server error".

The website pollin.de produces this error log:

Response header 'Set-Cookie' value of '___utmvaXIucook=DjJx01cqlU; path=/; Max-Age=900' contains invalid characters


-> I'll try the suggested "HttpProtocolOptions unsafe" workaround at the beginning of next week.
Comment 5 Bjoern Voigt 2018-03-21 11:56:47 UTC
"HttpProtocolOptions unsafe" did not help in my case.

Tested site: http://www.egyptindependent.com/
Apache version: 2.4.49
Environment: openSUSE Tumbleweed 20180318 x86_64

The error message is

[Wed Mar 21 12:56:12.843109 2018] [http:error] [pid 16291] [client 127.0.0.1:54552] AH02430: Response header 'Set-Cookie' value of '___utmvazVukktoB=Qhz\x01CTqM; path=/; Max-Age=900' contains invalid characters, aborting request
Comment 6 Eric Covener 2018-03-21 12:11:32 UTC
I renamed and reclassified, Some way to strip/replace would be nice, I am unsure if we want to provide an option to pass them through.   Invalid is invalid.
Comment 7 Christian Pélissier 2018-03-21 15:05:53 UTC
Here are the solution for 2.4.25 and later

# Sites with SOH inside the cookie (incapsula.com)
# www.cision.com, www.bizjournals.com, correlatedsolutions.com
# academie-air-espace.com, www.defense.gouv.fr
# Suppresion du caractere SOH \001 ou \x01 invalide dans un cookie
Header edit Set-Cookie ___utmv(.*)=(.*)\001([^;]*;)(.*) ___utmv$1=$2$3;$4

# Sites avec headers syntaxiquement incorrects comme :
# http://technopress.kaist.ac.kr/
Header unset 'Pragma :'
Header unset 'P3P :'
# http://www.anrt.asso.fr/
Header unset 'Expires :'