Bug 66642 - invalid response treated as http/0.9 by proxy
Summary: invalid response treated as http/0.9 by proxy
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4-HEAD
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-12 03:59 UTC by shashank
Modified: 2023-06-14 06:19 UTC (History)
2 users (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description shashank 2023-06-12 03:59:46 UTC 
I have a sample python app running as docker container and configured with apache2.4 and openssl (python-server.py):
This is a good-response:
```
curl -ik --cert '<your cert>'  https://<app-host-name>/good  --resolve <app-host-name>:443:<ip>

HTTP/1.1 404 Not Found
Date: Fri, 14 Apr 2023 08:06:14 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/3.0.7+
Transfer-Encoding: chunked

This is the good page.%
```
This is a bad-response:
```
curl -ik --cert '<your cert>'  https://<app-host-name>/bad  --resolve <app-host-name>:443:<ip>

HTTP/1.1 200 OK
Date: Fri, 14 Apr 2023 08:18:02 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/3.0.7+
Transfer-Encoding: chunked

HTTP/1.0 b'404 Not Found'
This is the bad page.%
```
This is malformed response since it contains b' in the response body.
Comment 1 Eric Covener 2023-06-13 11:22:19 UTC 
What's wrong with b' in a response body?
Comment 2 shashank 2023-06-13 16:50:35 UTC 
Apache should return whatever response it gets from the app side. Because of the presence of the b' in the response body apache is not able to understand or parse that and by-default its returning 200, It should have actually returned 404 not found since the actual response from app is 404.
Note the "b" in front of '404 Not Found'. The "b" is python's syntax for binary data. However, the binary data representation should not bleed through into the HTTP response.
Comment 3 Eric Covener 2023-06-13 17:08:49 UTC 
(In reply to shashank from comment #2)
> Apache should return whatever response it gets from the app side. Because of
> the presence of the b' in the response body apache is not able to understand
> or parse that and by-default its returning 200, It should have actually
> returned 404 not found since the actual response from app is 404.
> Note the "b" in front of '404 Not Found'. The "b" is python's syntax for
> binary data. However, the binary data representation should not bleed
> through into the HTTP response.

Apache doesn't parse the body.  Please capture the raw bytes of the complete backend response and attach it here.
Comment 4 shashank 2023-06-13 17:52:20 UTC 
This is the info related to app:
https://github.com/hmshashank/malformed-http

This is the related Discussion we opened in github:
https://github.com/apache/airflow/issues/29167

This is the only info i could capture from the logs for both /good and /bad request:
cat malformed-http_apache2_ssl_request.log
192.168.8.1 - - [13/Jun/2023:17:51:14 +0000] "GET /good HTTP/1.1" 404 22 "-" "curl/7.71.1-DEV" "-" 745
192.168.8.1 - - [13/Jun/2023:17:51:23 +0000] "GET /bad HTTP/1.1" 200 48 "-" "curl/7.71.1-DEV" "-" 807
Comment 5 Eric Covener 2023-06-13 17:59:58 UTC 
When the status line is invalid, Apache interprets it as an http/0.9 response which means the response is the body.  It should probably not accept these by default.
Comment 6 Ruediger Pluem 2023-06-14 06:19:18 UTC 
I guess we need to have an option to deny HTTP/0.9 responses. I am not sure if we could disable them by default for compatibility reasons.